NetCracker Resource Management System 8.0 SQL Injection

`# Vulnerability type: SQL Injection  
# Vendor: http://www.netcracker.com/  
# Product: NetCracker Resource Management System  
# Affected version: =< 8.0  
# Patched version: 8.2  
# Credit: Foo Jong Meng, Chia Junyuan, Benjamin Tan  
# CVE ID: CVE-2015-3423  
  
# PROOF OF CONCEPT (SQLi)  
  
SQL Injection (SQLi) vulnerability in multiple pages in NetCracker  
Resource Management System and earlier allows authenticated users to  
inject SQL statements via multiple parameters.  
  
# VULNERABLE PARAMETERS:  
- ctrl  
- h____%2427  
- h____%2439  
- param0  
- param1  
- param2  
- param3  
- param4  
- filter_INSERT_COUNT  
- filter_MINOR_FALLOUT  
- filter_UPDATE_COUNT  
- sort  
- sessid  
- (etc...)  
  
# SAMPLE PAYLOAD  
- '  
  
# TIMELINE  
- 28/02/2015: Vulnerability found  
- 13/03/2015: Vendor informed  
- 13/03/2015: Vendor responded and acknowledged  
- 21/04/2015: Vendor fixed the issue  
- 22/07/2015: Public disclosure  
`