what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WiKID Systems 2FA Enterprise Server 4.2.0-b2032 SQL Injection / XSS / CSRF

WiKID Systems 2FA Enterprise Server 4.2.0-b2032 SQL Injection / XSS / CSRF
Posted Oct 18, 2019
Authored by Aaron Bishop

WiKID Systems 2FA Enterprise Server version 4.2.0-b2032 suffers from cross site request forgery, cross site scripting, and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection, csrf
advisories | CVE-2019-16917, CVE-2019-17114, CVE-2019-17115, CVE-2019-17116, CVE-2019-17117, CVE-2019-17118, CVE-2019-17119, CVE-2019-17120
SHA-256 | 16f7edc4af940d18ad1ea3af320f681ee3a9432185f93f6bbc0ce222543bcacf

WiKID Systems 2FA Enterprise Server 4.2.0-b2032 SQL Injection / XSS / CSRF

Change Mirror Download
WiKID Systems 2FA Enterprise Serverversion 4.2.0-b2032 and earlier was
found to be vulnerable to multiple Cross-Site Scripting, SQLi, and CSRF
issues.

*searchDevices.jsp* is vulnerable to SQL injection through the *uid* and
*domain* parameters. The application uses Postgres which supports Stacked
Queries, the issue can be seen by submitting a request like:

SLEEP=10; HOST=$RHOST; COOKIE=$COOKIE; time curl -v -i -s -k -X
'POST' -H "Host: $HOST" -H "Cookie: JSESSIONID=$COOKIE;" --data-binary
"uid=test&domain=1;select pg_sleep($SLEEP);--&action=Search"
https://$HOST/WiKIDAdmin/searchDevices.jsp

The request will cause the database to sleep for 10+ seconds. This issue
has been assigned *CVE-2019-16917*.

*processPref.jsp* is vulnerable to SQL injection through the *key* parameter
if the action parameter is set to *update.* The following request will
trigger the issue for an authenticated user:

https://$RHOST/WiKIDAdmin/processPref.jsp?action=Update&key=test%27;%20SELECT%20pg_sleep(5);--

The request will cause the database to sleep for 5+ seconds. This issue
has been assigned *CVE-2019-17117.*

*Logs.jsp* is vulnerable to SQL injection through the *substring *and
*source* parameters. The following request will demonstrate the issue:

time curl --output /dev/null -s -k -H "Cookie: JSESSIONID=$COOKIE"
--data-binary "source='; select pg_sleep(5);--"
https://$RHOST/WiKIDAdmin/Log.jsp

real 0m10.572s
user 0m0.008s
sys 0m0.016s

The request will cause the database to sleep for 5+ seconds. This issue
has been assigned *CVE-2019-17119*

*usrPreregistration.jsp *is vulnerable to cross site scripting by uploading
a malicious .csv file containing <script> elements. This issue has been
assigned *CVE-2019-17114*

*Logs.jsp *is vulnerable to cross site scripting by triggering errors in
the unauthenticated portion of the application. The errors are severe
enough to appear in the logs by default. This issue has been assigned
*CVE-2019-17115.*

*groups.jsp *is vulnerable to cross site scripting by creating a group with
a name that contains <script> elements. This issue has been assigned
*CVE-2019-17116*

*adm_usrs.jsp *is vulnerable to cross site scripting when an admin is
created with a username containing <script> elements. This issue has been
assigned *CVE-2019-17120*

The application does not implement CSRF protection. Tricking an
authenticated user to click a link like:

<a href="https://$RHOST/WiKIDAdmin/adm_usrs.jsp?usr=pentest&newpass1=password1&newpass2=password1&action=Add">WiKIDAdmin
Manual</a>

Will result in an admin user unintentionally being created. This issue has
been assigned *CVE-2019-17118*

https://www.securitymetrics.com/blog/wikid-2fa-enterprise-server-csrf
https://www.securitymetrics.com/blog/wikid-2fa-enterprise-server-cross-site-scripting
https://www.securitymetrics.com/blog/wikid-2fa-enterprise-server-sql-injection

AARON BISHOP | Principal Penetration Tester CISSP, OSCP, OSWE P:801.995.6999
[image: SecurityMetrics]


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close