cbcvebase.
CVE-2014-4977
published 2014-07-16

CVE-2014-4977: Multiple SQL injection vulnerabilities in Dell SonicWall Scrutinizer 11.0.1 allow remote authenticated users to execute arbitrary SQL commands via the (1)…

PriorityP260medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
74.93%
99.4th percentile
Multiple SQL injection vulnerabilities in Dell SonicWall Scrutinizer 11.0.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) selectedUserGroup parameter in a create new user request to cgi-bin/admin.cgi or the (2) user_id parameter in the changeUnit function, (3) methodDetail parameter in the methodDetail function, or (4) xcNetworkDetail parameter in the xcNetworkDetail function in d4d/exporters.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
sonicwallscrutinizer

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/admin.cgi
path/d4d/exporters.php
path/cgi-bin/login.cgi
cookiecookiesenabled=1;sessionid=<sid>;userid=<uid>
command-6045 UNION ALL SELECT '#{pattern}',#{pad_null(19)}
command-6045 UNION ALL SELECT @@version_compile_os,#{pad_null(19)}
command-6045 UNION ALL SELECT 0x#{hex_backdoor},#{pad_null(19)} INTO DUMPFILE '#{d4d_path}/#{backdoor_fname}' #
path../../html/d4d
path/home/plixer/scrutinizer/html/d4d
  • Monitor HTTP GET requests to /d4d/exporters.php containing the 'methodDetail' parameter with SQL UNION injection patterns (e.g., '-6045 UNION ALL SELECT').
  • Alert on SQL injection patterns targeting the selectedUserGroup, user_id, methodDetail, or xcNetworkDetail parameters in requests to cgi-bin/admin.cgi or d4d/exporters.php.
  • Detect use of MySQL's INTO DUMPFILE clause within SQL injection payloads delivered via GET parameters to exporters.php, indicating attempted file write for webshell upload.
  • Flag authentication attempts to /cgi-bin/login.cgi using the default credential admin:admin, which the exploit module uses by default.
  • Watch for new .php files appearing under the d4d web directory (../../html/d4d on Windows or /home/plixer/scrutinizer/html/d4d on Linux), which indicates a PHP backdoor was written via SQL injection.
  • Detect multipart POST requests to randomly named .php files under /d4d/, which indicates the dropped PHP backdoor is being used to upload a binary payload.
  • ·The exploit requires authentication; however, it defaults to the factory credential admin:admin, meaning unpatched appliances with default credentials are trivially exploitable without prior access.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.