Grandstream UCM62xx IP PBX WebSocket Blind SQL Injection Credential Dump
Description
This module uses a blind SQL injection (CVE-2020-5724) affecting the Grandstream UCM62xx IP PBX to dump the users table. The injection occurs over a websocket at the websockify endpoint, and specifically occurs when the user requests the challenge (as part of a challenge and response authentication scheme). The injection is blind, but the server response contains a different status code if the query was successful. As such, the attacker can guess the contents of the user database. Most helpfully, the passwords are stored in cleartext within the user table (CVE-2020-5723). This issue was patched in Grandstream UCM62xx IP PBX firmware version 1.20.22.
Author(s)
- jbaines-r7
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use auxiliary/gather/grandstream_ucm62xx_sql_account_guess
msf auxiliary(grandstream_ucm62xx_sql_account_guess) > show actions
...actions...
msf auxiliary(grandstream_ucm62xx_sql_account_guess) > set ACTION < action-name >
msf auxiliary(grandstream_ucm62xx_sql_account_guess) > show options
...show and set options...
msf auxiliary(grandstream_ucm62xx_sql_account_guess) > run 
- Collect and share all the information you need to conduct a successful and efficient penetration test
- Simulate complex attacks against your systems and users
- Test your defenses to make sure they’re ready
- Automate Every Step of Your Penetration Test
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security