CVE-2012-2962
published 2012-07-30CVE-2012-2962: SQL injection vulnerability in d4d/statusFilter.php in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.2 allows remote authenticated users to…
PriorityP356medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
66.83%
99.2th percentile
SQL injection vulnerability in d4d/statusFilter.php in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.2 allows remote authenticated users to execute arbitrary SQL commands via the q parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonicwall | scrutinizer | < 9.5.2 | 9.5.2 |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /d4d/statusFilter.php commonJson=protList&q=<rnd>' union select 0x<hex_payload>,0 into outfile '../../html/d4d/<rand>.php'#↗
commandAAA' union select 0x<hex_payload>,0 into outfile 'C:\\Program Files\\Scrutinizer\\html\\my.php'#↗
- →Monitor HTTP POST requests to /d4d/statusFilter.php with the 'q' parameter containing SQL UNION SELECT and INTO OUTFILE clauses, which indicate active exploitation attempts to write a PHP webshell. ↗
- →Detect POST requests to /d4d/statusFilter.php where the 'q' parameter contains a single-quote followed by UNION SELECT and INTO OUTFILE targeting the Scrutinizer HTML directory (e.g., 'C:\Program Files\Scrutinizer\html\'). ↗
- →Alert on the creation of new .php files under the Scrutinizer web root (e.g., C:\Program Files\Scrutinizer\html\d4d\*.php or my.php), which indicates successful webshell drop via SQL INTO OUTFILE. ↗
- →The exploit uses 'commonJson=protList' as a required POST parameter alongside the malicious 'q' value; correlate both parameters together when hunting for exploitation attempts. ↗
- →Note that the Metasploit module states authentication is NOT required despite the NVD description saying 'remote authenticated users', so treat unauthenticated POST requests to statusFilter.php as equally suspicious. ↗
- →Check HTTP responses from /d4d/statusFilter.php for the absence of 'No Results Found' after a POST with a crafted 'q' parameter — the exploit uses this string as a success/failure indicator. ↗
- ·The NVD advisory states exploitation requires authentication ('remote authenticated users'), but the Metasploit module and original PoC both assert no authentication is needed. Treat the vulnerability as pre-auth for defensive purposes. ↗
- ·The Metasploit module was only confirmed tested against version 9.0.1.0, though the advisory states all versions before 9.5.2 are vulnerable. ↗
- ·The INTO OUTFILE path used by the exploit is relative (../../html/d4d/) in the Metasploit module but absolute (C:\Program Files\Scrutinizer\html\) in the Python PoC; detection rules should cover both path forms. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2mfw-qmh9-qc8p: SQL injection vulnerability in d4d/statusFilter
ghsa_unreviewed·2022-05-14
CVE-2012-2962 [MEDIUM] CWE-89 GHSA-2mfw-qmh9-qc8p: SQL injection vulnerability in d4d/statusFilter
SQL injection vulnerability in d4d/statusFilter.php in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.2 allows remote authenticated users to execute arbitrary SQL commands via the q parameter.
SonicWall
CVE-2012-2962: SQL injection vulnerability in d4d/statusFilter.php in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.2 allows remote authenticated us
vendor_sonicwall·2012-07-30·CVSS 6.5
CVE-2012-2962 [MEDIUM] CWE-89 CVE-2012-2962: SQL injection vulnerability in d4d/statusFilter.php in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.2 allows remote authenticated us
CVE-2012-2962: SQL injection vulnerability in d4d/statusFilter.php in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.2 allows remote authenticated users to execute arbitrary SQL commands via the q parameter.
Suricata
ET HUNTING PDF Containing Subform with JavaScript
suricata·2012-01-28
CVE-2017-2962 ET HUNTING PDF Containing Subform with JavaScript
ET HUNTING PDF Containing Subform with JavaScript
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING PDF Containing Subform with JavaScript"; flow:established,to_client; file.data; content:"%PDF"; within:4; content:"subform"; nocase; distance:0; fast_pattern; content:"script"; nocase; distance:0; reference:cve,2017-2962; classtype:attempted-user; sid:2014154; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_28, cve CVE_2017_2962, deployment Perimeter, confidence Medium, signature_severity Major, tag DriveBy, updated_at 2024_03_13;)
Exploit-DB
Dell SonicWALL Scrutinizer 9 - SQL Injection (Metasploit)
exploitdb·2012-08-03
CVE-2012-2962 Dell SonicWALL Scrutinizer 9 - SQL Injection (Metasploit)
Dell SonicWALL Scrutinizer 9 - SQL Injection (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "Dell SonicWALL Scrutinizer 9 SQL Injection",
'Description' => %q{
This module exploits a vulnerability found in Dell SonicWall Scrutinizer.
While handling the 'q' parameter, the PHP application does not properly filter
the user-supplied data, which can be manipulated to inject SQL commands, and
then gain remote code execution. Please note that authentication is NOT needed
to exploit this vulnerability.
},
'License' => MSF_LICENSE,
'Auth
Exploit-DB
Dell SonicWALL Scrutinizer 9.0.1 - 'statusFilter.php?q' SQL Injection
exploitdb·2012-07-22
CVE-2012-2962 Dell SonicWALL Scrutinizer 9.0.1 - 'statusFilter.php?q' SQL Injection
Dell SonicWALL Scrutinizer 9.0.1 - 'statusFilter.php?q' SQL Injection
---
#!/usr/bin/python
######################################################################################
# Exploit Title: Dell SonicWALL Scrutinizer 9.0.1 (statusFilter.php q parameter) SQL Injection
# Date: Jul 22 2012
# Author: muts
# Version: SonicWALL Scrutinizer 9.0.1
# Vendor URL: http://www.sonicwall.com
#
# Special thanks to: Tal Zeltzer
#
# Timeline:
#
# 12 Jun 2012: Vulnerability reported to CERT
# 22 Jun 2012: Response received from CERT with disclosure date set to 20 Jul 2012
# Unknown: Patch released: http://t.co/qoY9LHkO
# 22 Jul 2012: Public Disclosure
#
######################################################################################
import sys,urllib2,urllib
#php = ""
$rhost="172.16.164.1
Metasploit
Dell SonicWALL (Plixer) Scrutinizer 9 SQL Injection
metasploit
Dell SonicWALL (Plixer) Scrutinizer 9 SQL Injection
Dell SonicWALL (Plixer) Scrutinizer 9 SQL Injection
This module exploits a vulnerability found in Dell SonicWall Scrutinizer. While handling the 'q' parameter, the PHP application does not properly filter the user-supplied data, which can be manipulated to inject SQL commands, and then gain remote code execution. Please note that authentication is NOT needed to exploit this vulnerability.
No writeups or analysis indexed.
http://secunia.com/advisories/50052http://www.exploit-db.com/exploits/20033http://www.kb.cert.org/vuls/id/404051http://www.osvdb.org/84232http://www.plixer.com/Press-Releases/plixer-releases-9-5-2.htmlhttp://www.securityfocus.com/bid/54625http://www.sonicwall.com/shared/download/Dell_SonicWALL_Scrutinizer_Service_Bulletin_for_SQL_injection_vulnerability_CVE.pdfhttps://exchange.xforce.ibmcloud.com/vulnerabilities/77148http://secunia.com/advisories/50052http://www.exploit-db.com/exploits/20033http://www.kb.cert.org/vuls/id/404051http://www.osvdb.org/84232http://www.plixer.com/Press-Releases/plixer-releases-9-5-2.htmlhttp://www.securityfocus.com/bid/54625http://www.sonicwall.com/shared/download/Dell_SonicWALL_Scrutinizer_Service_Bulletin_for_SQL_injection_vulnerability_CVE.pdfhttps://exchange.xforce.ibmcloud.com/vulnerabilities/77148
2012-07-30
Published