what you don't know can hurt you

WiKID Systems 2FA Enterprise Server 4.2.0-b2032 SQL Injection / XSS / CSRF

WiKID Systems 2FA Enterprise Server 4.2.0-b2032 SQL Injection / XSS / CSRF
Posted Oct 18, 2019
Authored by Aaron Bishop

WiKID Systems 2FA Enterprise Server version 4.2.0-b2032 suffers from cross site request forgery, cross site scripting, and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection, csrf
advisories | CVE-2019-16917, CVE-2019-17114, CVE-2019-17115, CVE-2019-17116, CVE-2019-17117, CVE-2019-17118, CVE-2019-17119, CVE-2019-17120
MD5 | 87e4bf80dc5a6746b499ffb6cb16fe9c

WiKID Systems 2FA Enterprise Server 4.2.0-b2032 SQL Injection / XSS / CSRF

Change Mirror Download
WiKID Systems 2FA Enterprise Serverversion 4.2.0-b2032 and earlier was
found to be vulnerable to multiple Cross-Site Scripting, SQLi, and CSRF
issues.

*searchDevices.jsp* is vulnerable to SQL injection through the *uid* and
*domain* parameters. The application uses Postgres which supports Stacked
Queries, the issue can be seen by submitting a request like:

SLEEP=10; HOST=$RHOST; COOKIE=$COOKIE; time curl -v -i -s -k -X
'POST' -H "Host: $HOST" -H "Cookie: JSESSIONID=$COOKIE;" --data-binary
"uid=test&domain=1;select pg_sleep($SLEEP);--&action=Search"
https://$HOST/WiKIDAdmin/searchDevices.jsp

The request will cause the database to sleep for 10+ seconds. This issue
has been assigned *CVE-2019-16917*.

*processPref.jsp* is vulnerable to SQL injection through the *key* parameter
if the action parameter is set to *update.* The following request will
trigger the issue for an authenticated user:

https://$RHOST/WiKIDAdmin/processPref.jsp?action=Update&key=test%27;%20SELECT%20pg_sleep(5);--

The request will cause the database to sleep for 5+ seconds. This issue
has been assigned *CVE-2019-17117.*

*Logs.jsp* is vulnerable to SQL injection through the *substring *and
*source* parameters. The following request will demonstrate the issue:

time curl --output /dev/null -s -k -H "Cookie: JSESSIONID=$COOKIE"
--data-binary "source='; select pg_sleep(5);--"
https://$RHOST/WiKIDAdmin/Log.jsp

real 0m10.572s
user 0m0.008s
sys 0m0.016s

The request will cause the database to sleep for 5+ seconds. This issue
has been assigned *CVE-2019-17119*

*usrPreregistration.jsp *is vulnerable to cross site scripting by uploading
a malicious .csv file containing <script> elements. This issue has been
assigned *CVE-2019-17114*

*Logs.jsp *is vulnerable to cross site scripting by triggering errors in
the unauthenticated portion of the application. The errors are severe
enough to appear in the logs by default. This issue has been assigned
*CVE-2019-17115.*

*groups.jsp *is vulnerable to cross site scripting by creating a group with
a name that contains <script> elements. This issue has been assigned
*CVE-2019-17116*

*adm_usrs.jsp *is vulnerable to cross site scripting when an admin is
created with a username containing <script> elements. This issue has been
assigned *CVE-2019-17120*

The application does not implement CSRF protection. Tricking an
authenticated user to click a link like:

<a href="https://$RHOST/WiKIDAdmin/adm_usrs.jsp?usr=pentest&newpass1=password1&newpass2=password1&action=Add">WiKIDAdmin
Manual</a>

Will result in an admin user unintentionally being created. This issue has
been assigned *CVE-2019-17118*

https://www.securitymetrics.com/blog/wikid-2fa-enterprise-server-csrf
https://www.securitymetrics.com/blog/wikid-2fa-enterprise-server-cross-site-scripting
https://www.securitymetrics.com/blog/wikid-2fa-enterprise-server-sql-injection

AARON BISHOP | Principal Penetration Tester CISSP, OSCP, OSWE P:801.995.6999
[image: SecurityMetrics]


Login or Register to add favorites

File Archive:

May 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    14 Files
  • 2
    May 2nd
    3 Files
  • 3
    May 3rd
    1 Files
  • 4
    May 4th
    18 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    21 Files
  • 7
    May 7th
    15 Files
  • 8
    May 8th
    19 Files
  • 9
    May 9th
    1 Files
  • 10
    May 10th
    2 Files
  • 11
    May 11th
    18 Files
  • 12
    May 12th
    39 Files
  • 13
    May 13th
    15 Files
  • 14
    May 14th
    17 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    2 Files
  • 17
    May 17th
    2 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    21 Files
  • 20
    May 20th
    15 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    6 Files
  • 23
    May 23rd
    1 Files
  • 24
    May 24th
    1 Files
  • 25
    May 25th
    2 Files
  • 26
    May 26th
    23 Files
  • 27
    May 27th
    13 Files
  • 28
    May 28th
    13 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close