7.5 CVE-2012-2311

RCE Injection SQL Used by Malware

sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that contain a %3D sequence but no = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823.
https://nvd.nist.gov/vuln/detail/CVE-2012-2311

References

secalert@redhat.com

http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html
http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00007.html
http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00011.html
http://marc.info/?l=bugtraq&m=134012830914727&w=2
http://secunia.com/advisories/49014
http://secunia.com/advisories/49085
http://support.apple.com/kb/HT5501
http://www.debian.org/security/2012/dsa-2465
http://www.kb.cert.org/vuls/id/520827 US Government Resource
http://www.php.net/ChangeLog-5.php#5.4.3
http://www.php.net/archive/2012.php#id2012-05-08-1
http://www.securitytracker.com/id?1027022
https://bugs.php.net/bug.php?id=61910 Vendor Advisory
https://bugs.php.net/patch-display.php?bug_id=61910&patch=cgi.diff-fix-check....
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na...

CPE

cpe	start	end
Configuration 1
cpe:2.3:a:php:php::::::::		<= 5.3.12
cpe:2.3:a:php:php:1.0:::::::*
cpe:2.3:a:php:php:2.0:::::::*
cpe:2.3:a:php:php:2.0b10:::::::*
cpe:2.3:a:php:php:3.0:::::::*
cpe:2.3:a:php:php:3.0.1:::::::*
cpe:2.3:a:php:php:3.0.2:::::::*
cpe:2.3:a:php:php:3.0.3:::::::*
cpe:2.3:a:php:php:3.0.4:::::::*
cpe:2.3:a:php:php:3.0.5:::::::*
cpe:2.3:a:php:php:3.0.6:::::::*
cpe:2.3:a:php:php:3.0.7:::::::*
cpe:2.3:a:php:php:3.0.8:::::::*
cpe:2.3:a:php:php:3.0.9:::::::*
cpe:2.3:a:php:php:3.0.10:::::::*
cpe:2.3:a:php:php:3.0.11:::::::*
cpe:2.3:a:php:php:3.0.12:::::::*
cpe:2.3:a:php:php:3.0.13:::::::*
cpe:2.3:a:php:php:3.0.14:::::::*
cpe:2.3:a:php:php:3.0.15:::::::*
cpe:2.3:a:php:php:3.0.16:::::::*
cpe:2.3:a:php:php:3.0.17:::::::*
cpe:2.3:a:php:php:3.0.18:::::::*
cpe:2.3:a:php:php:4.0:beta_4_patch1::::::
cpe:2.3:a:php:php:4.0:beta1::::::
cpe:2.3:a:php:php:4.0:beta2::::::
cpe:2.3:a:php:php:4.0:beta3::::::
cpe:2.3:a:php:php:4.0:beta4::::::
cpe:2.3:a:php:php:4.0.0:::::::*
cpe:2.3:a:php:php:4.0.1:::::::*
cpe:2.3:a:php:php:4.0.2:::::::*
cpe:2.3:a:php:php:4.0.3:::::::*
cpe:2.3:a:php:php:4.0.4:::::::*
cpe:2.3:a:php:php:4.0.5:::::::*
cpe:2.3:a:php:php:4.0.6:::::::*
cpe:2.3:a:php:php:4.0.7:::::::*
cpe:2.3:a:php:php:4.1.0:::::::*
cpe:2.3:a:php:php:4.1.1:::::::*
cpe:2.3:a:php:php:4.1.2:::::::*
cpe:2.3:a:php:php:4.2.0:::::::*
cpe:2.3:a:php:php:4.2.1:::::::*
cpe:2.3:a:php:php:4.2.2:::::::*
cpe:2.3:a:php:php:4.2.3:::::::*
cpe:2.3:a:php:php:4.3.0:::::::*
cpe:2.3:a:php:php:4.3.1:::::::*
cpe:2.3:a:php:php:4.3.2:::::::*
cpe:2.3:a:php:php:4.3.3:::::::*
cpe:2.3:a:php:php:4.3.4:::::::*
cpe:2.3:a:php:php:4.3.5:::::::*
cpe:2.3:a:php:php:4.3.6:::::::*
cpe:2.3:a:php:php:4.3.7:::::::*
cpe:2.3:a:php:php:4.3.8:::::::*
cpe:2.3:a:php:php:4.3.9:::::::*
cpe:2.3:a:php:php:4.3.10:::::::*
cpe:2.3:a:php:php:4.3.11:::::::*
cpe:2.3:a:php:php:4.4.0:::::::*
cpe:2.3:a:php:php:4.4.1:::::::*
cpe:2.3:a:php:php:4.4.2:::::::*
cpe:2.3:a:php:php:4.4.3:::::::*
cpe:2.3:a:php:php:4.4.4:::::::*
cpe:2.3:a:php:php:4.4.5:::::::*
cpe:2.3:a:php:php:4.4.6:::::::*
cpe:2.3:a:php:php:4.4.7:::::::*
cpe:2.3:a:php:php:4.4.8:::::::*
cpe:2.3:a:php:php:4.4.9:::::::*
cpe:2.3:a:php:php:5.0.0:::::::*
cpe:2.3:a:php:php:5.0.0:beta1::::::
cpe:2.3:a:php:php:5.0.0:beta2::::::
cpe:2.3:a:php:php:5.0.0:beta3::::::
cpe:2.3:a:php:php:5.0.0:beta4::::::
cpe:2.3:a:php:php:5.0.0:rc1::::::
cpe:2.3:a:php:php:5.0.0:rc2::::::
cpe:2.3:a:php:php:5.0.0:rc3::::::
cpe:2.3:a:php:php:5.0.1:::::::*
cpe:2.3:a:php:php:5.0.2:::::::*
cpe:2.3:a:php:php:5.0.3:::::::*
cpe:2.3:a:php:php:5.0.4:::::::*
cpe:2.3:a:php:php:5.0.5:::::::*
cpe:2.3:a:php:php:5.1.0:::::::*
cpe:2.3:a:php:php:5.1.1:::::::*
cpe:2.3:a:php:php:5.1.2:::::::*
cpe:2.3:a:php:php:5.1.3:::::::*
cpe:2.3:a:php:php:5.1.4:::::::*
cpe:2.3:a:php:php:5.1.5:::::::*
cpe:2.3:a:php:php:5.1.6:::::::*
cpe:2.3:a:php:php:5.2.0:::::::*
cpe:2.3:a:php:php:5.2.1:::::::*
cpe:2.3:a:php:php:5.2.2:::::::*
cpe:2.3:a:php:php:5.2.3:::::::*
cpe:2.3:a:php:php:5.2.4:::::::*
cpe:2.3:a:php:php:5.2.5:::::::*
cpe:2.3:a:php:php:5.2.6:::::::*
cpe:2.3:a:php:php:5.2.7:::::::*
cpe:2.3:a:php:php:5.2.8:::::::*
cpe:2.3:a:php:php:5.2.9:::::::*
cpe:2.3:a:php:php:5.2.10:::::::*
cpe:2.3:a:php:php:5.2.11:::::::*
cpe:2.3:a:php:php:5.2.12:::::::*
cpe:2.3:a:php:php:5.2.13:::::::*
cpe:2.3:a:php:php:5.2.14:::::::*
cpe:2.3:a:php:php:5.2.15:::::::*
cpe:2.3:a:php:php:5.2.16:::::::*
cpe:2.3:a:php:php:5.2.17:::::::*
cpe:2.3:a:php:php:5.3.0:::::::*
cpe:2.3:a:php:php:5.3.1:::::::*
cpe:2.3:a:php:php:5.3.2:::::::*
cpe:2.3:a:php:php:5.3.3:::::::*
cpe:2.3:a:php:php:5.3.4:::::::*
cpe:2.3:a:php:php:5.3.5:::::::*
cpe:2.3:a:php:php:5.3.6:::::::*
cpe:2.3:a:php:php:5.3.7:::::::*
cpe:2.3:a:php:php:5.3.8:::::::*
cpe:2.3:a:php:php:5.3.9:::::::*
cpe:2.3:a:php:php:5.3.10:::::::*
cpe:2.3:a:php:php:5.3.11:::::::*
cpe:2.3:a:php:php:5.4.0:::::::*
cpe:2.3:a:php:php:5.4.0:beta2::::::
cpe:2.3:a:php:php:5.4.1:::::::*
cpe:2.3:a:php:php:5.4.2:::::::*

REMEDIATION

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
109	Object Relational Mapping Injection An attacker leverages a weakness present in the database access layer code generated with an Object Relational Mapping (ORM) tool or a weakness in the way that a developer used a persistence framework to inject their own SQL commands to be executed against the underlying database. The attack here is similar to plain SQL injection, except that the application does not use JDBC to directly talk to the database, but instead it uses a data access layer generated by an ORM tool or framework (e.g. Hibernate). While most of the time code generated by an ORM tool contains safe access methods that are immune to SQL injection, sometimes either due to some weakness in the generated code or due to the fact that the developer failed to use the generated access methods properly, SQL injection is still possible. [Determine Persistence Framework Used] An attacker tries to determine what persistence framework is used by the application in order to leverage a weakness in the generated data access layer code or a weakness in a way that the data access layer may have been used by the developer. [Probe for ORM Injection vulnerabilities] The attacker injects ORM syntax into user-controllable data inputs of the application to determine if it is possible modify data query structure and content. [Perform SQL Injection through the generated data access layer] An attacker proceeds to exploit a weakness in the generated data access methods that does not properly separate control plane from the data plan, or potentially a particular way in which developer might have misused the generated code, to modify the structure of the executed SQL queries and/or inject entirely new SQL queries.	High
110	SQL Injection through SOAP Parameter Tampering An attacker modifies the parameters of the SOAP message that is sent from the service consumer to the service provider to initiate a SQL injection attack. On the service provider side, the SOAP message is parsed and parameters are not properly validated before being used to access a database in a way that does not use parameter binding, thus enabling the attacker to control the structure of the executed SQL query. This pattern describes a SQL injection attack with the delivery mechanism being a SOAP message. [Detect Incorrect SOAP Parameter Handling] The attacker tampers with the SOAP message parameters and looks for indications that the tampering caused a change in behavior of the targeted application. [Probe for SQL Injection vulnerability] The attacker injects SQL syntax into vulnerable SOAP parameters identified during the Explore phase to search for unfiltered execution of the SQL syntax in a query. [Inject SQL via SOAP Parameters] The attacker injects SQL via SOAP parameters identified as vulnerable during Explore phase to launch a first or second order SQL injection attack.	Very High
108	Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host. [Probe for SQL Injection vulnerability] The attacker injects SQL syntax into user-controllable data inputs to search unfiltered execution of the SQL syntax in a query. [Achieve arbitrary command execution through SQL Injection with the MSSQL_xp_cmdshell directive] The attacker leverages a SQL Injection attack to inject shell code to be executed by leveraging the xp_cmdshell directive. [Inject malicious data in the database] Leverage SQL injection to inject data in the database that could later be used to achieve command injection if ever used as a command line argument [Trigger command line execution with injected arguments] The attacker causes execution of command line functionality which leverages previously injected database content as arguments.	Very High
470	Expanding Control over the Operating System from the Database An attacker is able to leverage access gained to the database to read / write data to the file system, compromise the operating system, create a tunnel for accessing the host machine, and use this access to potentially attack other machines on the same network as the database machine. Traditionally SQL injections attacks are viewed as a way to gain unauthorized read access to the data stored in the database, modify the data in the database, delete the data, etc. However, almost every data base management system (DBMS) system includes facilities that if compromised allow an attacker complete access to the file system, operating system, and full access to the host running the database. The attacker can then use this privileged access to launch subsequent attacks. These facilities include dropping into a command shell, creating user defined functions that can call system level libraries present on the host machine, stored procedures, etc. The adversary identifies a database management system running on a machine they would like to gain control over, or on a network they want to move laterally through. The adversary goes about the typical steps of an SQL injection and determines if an injection is possible. Once the Adversary determines that an SQL injection is possible, they must ensure that the requirements for the attack are met. These are a high privileged session user and batched query support. This is done in similar ways to discovering if an SQL injection is possible. If the requirements are met, based on the database management system that is running, the adversary will find or create user defined functions (UDFs) that can be loaded as DLLs. An example of a DLL can be found at https://github.com/rapid7/metasploit-framework/tree/master/data/exploits/mysql In order to load the DLL, the adversary must first find the path to the plugin directory. The command to achieve this is different based on the type of DBMS, but for MySQL, this can be achieved by running the command "select @@plugin_dir" The DLL is then moved into the previously found plugin directory so that the contained functions can be loaded. This can be done in a number of ways; loading from a network share, writing the entire hex encoded string to a file in the plugin directory, or loading the DLL into a table and then into a file. An example using MySQL to load the hex string is as follows. select 0x4d5a9000... into dump file "{plugin directory}\udf.dll"; Once the DLL is in the plugin directory, a command is then run to load the UDFs. An example of this in MySQL is "create function sys_eval returns string soname 'udf.dll';" The function sys_eval is specific to the example DLL listed above. Once the adversary has loaded the desired function(s), they will use these to execute arbitrary commands on the compromised system. This is done through a simple select command to the loaded UDF. For example: "select sys_eval('dir');". Because the prerequisite to this attack is that the database session user is a super user, this means that the adversary will be able to execute commands with elevated privileges.	Very High
66	SQL Injection This attack exploits target software that constructs SQL statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended. SQL Injection results from failure of the application to appropriately validate input. [Survey application] The attacker first takes an inventory of the functionality exposed by the application. [Determine user-controllable input susceptible to injection] Determine the user-controllable input susceptible to injection. For each user-controllable input that the attacker suspects is vulnerable to SQL injection, attempt to inject characters that have special meaning in SQL (such as a single quote character, a double quote character, two hyphens, a parenthesis, etc.). The goal is to create a SQL query with an invalid syntax. [Experiment with SQL Injection vulnerabilities] After determining that a given input is vulnerable to SQL Injection, hypothesize what the underlying query looks like. Iteratively try to add logic to the query to extract information from the database, or to modify or delete information in the database. [Exploit SQL Injection vulnerability] After refining and adding various logic to SQL queries, craft and execute the underlying SQL query that will be used to attack the target system. The goal is to reveal, modify, and/or delete database data, using the knowledge obtained in the previous step. This could entail crafting and executing multiple SQL queries if a denial of service attack is the intent.	High
7	Blind SQL Injection Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the adversary constructs input strings that probe the target through simple Boolean SQL expressions. The adversary can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the adversary determines how and where the target is vulnerable to SQL Injection. [Hypothesize SQL queries in application] [Determine how to inject information into the queries] [Determine user-controllable input susceptible to injection] Determine the user-controllable input susceptible to injection. For each user-controllable input that the adversary suspects is vulnerable to SQL injection, attempt to inject the values determined in the previous step. If an error does not occur, then the adversary knows that the SQL injection was successful. [Determine database type] Determines the type of the database, such as MS SQL Server or Oracle or MySQL, using logical conditions as part of the injected queries [Extract information about database schema] Extract information about database schema by getting the database to answer yes/no questions about the schema. [Exploit SQL Injection vulnerability] Use the information obtained in the previous steps to successfully inject the database in order to bypass checks or modify, add, retrieve or delete data from the database	High

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

cpe	start	end
Configuration 1
cpe:2.3:a:php:php::::::::		<= 5.3.12
cpe:2.3:a:php:php:1.0:::::::*
cpe:2.3:a:php:php:2.0:::::::*
cpe:2.3:a:php:php:2.0b10:::::::*
cpe:2.3:a:php:php:3.0:::::::*
cpe:2.3:a:php:php:3.0.1:::::::*
cpe:2.3:a:php:php:3.0.2:::::::*
cpe:2.3:a:php:php:3.0.3:::::::*
cpe:2.3:a:php:php:3.0.4:::::::*
cpe:2.3:a:php:php:3.0.5:::::::*
cpe:2.3:a:php:php:3.0.6:::::::*
cpe:2.3:a:php:php:3.0.7:::::::*
cpe:2.3:a:php:php:3.0.8:::::::*
cpe:2.3:a:php:php:3.0.9:::::::*
cpe:2.3:a:php:php:3.0.10:::::::*
cpe:2.3:a:php:php:3.0.11:::::::*
cpe:2.3:a:php:php:3.0.12:::::::*
cpe:2.3:a:php:php:3.0.13:::::::*
cpe:2.3:a:php:php:3.0.14:::::::*
cpe:2.3:a:php:php:3.0.15:::::::*
cpe:2.3:a:php:php:3.0.16:::::::*
cpe:2.3:a:php:php:3.0.17:::::::*
cpe:2.3:a:php:php:3.0.18:::::::*
cpe:2.3:a:php:php:4.0:beta_4_patch1::::::
cpe:2.3:a:php:php:4.0:beta1::::::
cpe:2.3:a:php:php:4.0:beta2::::::
cpe:2.3:a:php:php:4.0:beta3::::::
cpe:2.3:a:php:php:4.0:beta4::::::
cpe:2.3:a:php:php:4.0.0:::::::*
cpe:2.3:a:php:php:4.0.1:::::::*
cpe:2.3:a:php:php:4.0.2:::::::*
cpe:2.3:a:php:php:4.0.3:::::::*
cpe:2.3:a:php:php:4.0.4:::::::*
cpe:2.3:a:php:php:4.0.5:::::::*
cpe:2.3:a:php:php:4.0.6:::::::*
cpe:2.3:a:php:php:4.0.7:::::::*
cpe:2.3:a:php:php:4.1.0:::::::*
cpe:2.3:a:php:php:4.1.1:::::::*
cpe:2.3:a:php:php:4.1.2:::::::*
cpe:2.3:a:php:php:4.2.0:::::::*
cpe:2.3:a:php:php:4.2.1:::::::*
cpe:2.3:a:php:php:4.2.2:::::::*
cpe:2.3:a:php:php:4.2.3:::::::*
cpe:2.3:a:php:php:4.3.0:::::::*
cpe:2.3:a:php:php:4.3.1:::::::*
cpe:2.3:a:php:php:4.3.2:::::::*
cpe:2.3:a:php:php:4.3.3:::::::*
cpe:2.3:a:php:php:4.3.4:::::::*
cpe:2.3:a:php:php:4.3.5:::::::*
cpe:2.3:a:php:php:4.3.6:::::::*
cpe:2.3:a:php:php:4.3.7:::::::*
cpe:2.3:a:php:php:4.3.8:::::::*
cpe:2.3:a:php:php:4.3.9:::::::*
cpe:2.3:a:php:php:4.3.10:::::::*
cpe:2.3:a:php:php:4.3.11:::::::*
cpe:2.3:a:php:php:4.4.0:::::::*
cpe:2.3:a:php:php:4.4.1:::::::*
cpe:2.3:a:php:php:4.4.2:::::::*
cpe:2.3:a:php:php:4.4.3:::::::*
cpe:2.3:a:php:php:4.4.4:::::::*
cpe:2.3:a:php:php:4.4.5:::::::*
cpe:2.3:a:php:php:4.4.6:::::::*
cpe:2.3:a:php:php:4.4.7:::::::*
cpe:2.3:a:php:php:4.4.8:::::::*
cpe:2.3:a:php:php:4.4.9:::::::*
cpe:2.3:a:php:php:5.0.0:::::::*
cpe:2.3:a:php:php:5.0.0:beta1::::::
cpe:2.3:a:php:php:5.0.0:beta2::::::
cpe:2.3:a:php:php:5.0.0:beta3::::::
cpe:2.3:a:php:php:5.0.0:beta4::::::
cpe:2.3:a:php:php:5.0.0:rc1::::::
cpe:2.3:a:php:php:5.0.0:rc2::::::
cpe:2.3:a:php:php:5.0.0:rc3::::::
cpe:2.3:a:php:php:5.0.1:::::::*
cpe:2.3:a:php:php:5.0.2:::::::*
cpe:2.3:a:php:php:5.0.3:::::::*
cpe:2.3:a:php:php:5.0.4:::::::*
cpe:2.3:a:php:php:5.0.5:::::::*
cpe:2.3:a:php:php:5.1.0:::::::*
cpe:2.3:a:php:php:5.1.1:::::::*
cpe:2.3:a:php:php:5.1.2:::::::*
cpe:2.3:a:php:php:5.1.3:::::::*
cpe:2.3:a:php:php:5.1.4:::::::*
cpe:2.3:a:php:php:5.1.5:::::::*
cpe:2.3:a:php:php:5.1.6:::::::*
cpe:2.3:a:php:php:5.2.0:::::::*
cpe:2.3:a:php:php:5.2.1:::::::*
cpe:2.3:a:php:php:5.2.2:::::::*
cpe:2.3:a:php:php:5.2.3:::::::*
cpe:2.3:a:php:php:5.2.4:::::::*
cpe:2.3:a:php:php:5.2.5:::::::*
cpe:2.3:a:php:php:5.2.6:::::::*
cpe:2.3:a:php:php:5.2.7:::::::*
cpe:2.3:a:php:php:5.2.8:::::::*
cpe:2.3:a:php:php:5.2.9:::::::*
cpe:2.3:a:php:php:5.2.10:::::::*
cpe:2.3:a:php:php:5.2.11:::::::*
cpe:2.3:a:php:php:5.2.12:::::::*
cpe:2.3:a:php:php:5.2.13:::::::*
cpe:2.3:a:php:php:5.2.14:::::::*
cpe:2.3:a:php:php:5.2.15:::::::*
cpe:2.3:a:php:php:5.2.16:::::::*
cpe:2.3:a:php:php:5.2.17:::::::*
cpe:2.3:a:php:php:5.3.0:::::::*
cpe:2.3:a:php:php:5.3.1:::::::*
cpe:2.3:a:php:php:5.3.2:::::::*
cpe:2.3:a:php:php:5.3.3:::::::*
cpe:2.3:a:php:php:5.3.4:::::::*
cpe:2.3:a:php:php:5.3.5:::::::*
cpe:2.3:a:php:php:5.3.6:::::::*
cpe:2.3:a:php:php:5.3.7:::::::*
cpe:2.3:a:php:php:5.3.8:::::::*
cpe:2.3:a:php:php:5.3.9:::::::*
cpe:2.3:a:php:php:5.3.10:::::::*
cpe:2.3:a:php:php:5.3.11:::::::*
cpe:2.3:a:php:php:5.4.0:::::::*
cpe:2.3:a:php:php:5.4.0:beta2::::::
cpe:2.3:a:php:php:5.4.1:::::::*
cpe:2.3:a:php:php:5.4.2:::::::*