0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Imperva SecureSphere Web Application Firewall MX Blind SQL Injection
Blind SQL Injection to Imperva SecureSphere Web Application Firewall MX ======================================================================= [ADVISORY INFORMATION] Title: Blind SQL Injection on Imperva SecureSphere Web Application Firewall MX Discovery date: 09/04/2013 Release date: 09/10/2013 Vendor Homepage: www.imperva.com Version: Imperva SecureSphere WAF MX 9.5.6 Credits: Giuseppe D'Amore (g-damore@outlook.com), Mattia Folador (mattia.folador@gmail.com) [VULNERABILITY INFORMATION] Class: Blind SQL Injection AFFECTED PRODUCTS] This security vulnerability affects: * Imperva SecureSphere WAF Management Web Console (MX), version 9.5.6 [VULNERABILITY DETAILS] The management console of Imperva WAF allows an authenticated user having the only privilege to view lookup dataset, to perform a privilege escalation, and extract through a blind sql injection, the MD5 hash of Administrator's account on the console. If you inject this query: stringindatasetchoosen%%' and 1 = any (select 1 from SECURE.CONF_SECURE_MEMBERS where FULL_NAME like '%%dministrator' and rownum<=1 and PASSWORD like '0%') and '1%%'='1 into the search box under the Main Menu->Setup->Global Object->Scope Selection (Data Lookup)->Lookup Data Set, it is possible (depending on whether the query returns true or false) to extract the MD5 hash of the password of the Administrator's account on the console so: If the query return true then I see the searched string (stringindatasetchoosen), this means that the Administrator MD5 hashed password start with 0 character, by doing this, I can enumerate entire MD5, by injecting query like: and PASSWORD like '0% -> to find the first character, once you find the first character, I inject: and PASSWORD like '0a% -> to find second character and so on until you discover all 32 characters of hash. [REMEDIATION] This issue has been addressed by Imperva in the following patch release: * Patch 8.0 (August 30, 2013) [DISCLOSURE TIME-LINE] * 09/04/2012 - Initial vendor contact. * 11/07/2013 - Imperva confirmed the issue is a new security vulnerability. * 30/08/2013 - Imperva released a new patch that address the vulnerability. * 09/10/2013 - Public disclosure. [DISCLAIMER] The author is not responsible for the misuse of the information provided in this security advisory. The advisory is a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. # 0day.today [2024-12-24] #