cbcvebase.
CVE-2012-2962
published 2012-07-30

CVE-2012-2962: SQL injection vulnerability in d4d/statusFilter.php in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.2 allows remote authenticated users to…

PriorityP356medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
66.83%
99.2th percentile
SQL injection vulnerability in d4d/statusFilter.php in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.2 allows remote authenticated users to execute arbitrary SQL commands via the q parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
sonicwallscrutinizer< 9.5.29.5.2

Detection & IOCsextracted from sources · hover to see the quote

path/d4d/statusFilter.php
commandPOST /d4d/statusFilter.php commonJson=protList&q=<rnd>' union select 0x<hex_payload>,0 into outfile '../../html/d4d/<rand>.php'#
commandAAA' union select 0x<hex_payload>,0 into outfile 'C:\\Program Files\\Scrutinizer\\html\\my.php'#
pathC:\Program Files\Scrutinizer\html\
  • Monitor HTTP POST requests to /d4d/statusFilter.php with the 'q' parameter containing SQL UNION SELECT and INTO OUTFILE clauses, which indicate active exploitation attempts to write a PHP webshell.
  • Detect POST requests to /d4d/statusFilter.php where the 'q' parameter contains a single-quote followed by UNION SELECT and INTO OUTFILE targeting the Scrutinizer HTML directory (e.g., 'C:\Program Files\Scrutinizer\html\').
  • Alert on the creation of new .php files under the Scrutinizer web root (e.g., C:\Program Files\Scrutinizer\html\d4d\*.php or my.php), which indicates successful webshell drop via SQL INTO OUTFILE.
  • The exploit uses 'commonJson=protList' as a required POST parameter alongside the malicious 'q' value; correlate both parameters together when hunting for exploitation attempts.
  • Note that the Metasploit module states authentication is NOT required despite the NVD description saying 'remote authenticated users', so treat unauthenticated POST requests to statusFilter.php as equally suspicious.
  • Check HTTP responses from /d4d/statusFilter.php for the absence of 'No Results Found' after a POST with a crafted 'q' parameter — the exploit uses this string as a success/failure indicator.
  • ·The NVD advisory states exploitation requires authentication ('remote authenticated users'), but the Metasploit module and original PoC both assert no authentication is needed. Treat the vulnerability as pre-auth for defensive purposes.
  • ·The Metasploit module was only confirmed tested against version 9.0.1.0, though the advisory states all versions before 9.5.2 are vulnerable.
  • ·The INTO OUTFILE path used by the exploit is relative (../../html/d4d/) in the Metasploit module but absolute (C:\Program Files\Scrutinizer\html\) in the Python PoC; detection rules should cover both path forms.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.