关键信息 EID-ID: 24898 CVE: 2013-2690 Author: Bhadresh Patel Type: Webapps Platform: PHP Date: 2013-03-29 Vulnerable App: SynConnect Pms 漏洞描述 Title SynConnect - SQL Injection vulnerability Credit Name: Bhadresh Patel Company/Affiliation: Cyberoam Technologies Private Limited Website: www.cyberoam.com Affected Version Ver 2.0 Exploitation-Technique Remote Severity Rating 7.3 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:U/RC:C/CDP:MH/TD:M/CR:H/IR:H/AR:H) Details There is an error-based SQL injection vulnerability in SynConnect's index.php which allows an attacker to steal the full database including master admin credentials and guest's personal confidential information. Logging in to the admin portal gives the attacker overall control of guest accounts. The attacker can impersonate his identity by stealing the guest's login credentials. SynConnect offers easy payment internet access via prepaid packages or a payment gateway from the internet such as World Pay, but the vulnerability coverage in this area has not been checked. Vulnerable Module(s) index.php?func=logoff&loginid= Vulnerable Parameter loginid SQL Error Logs Fatal error: SQL statement failed: select from user_master, group_master, package_master where user_master.userid='1011' AND (SELECT 8975 FROM(SELECT COUNT(), CONCAT((SELECT (SELECT (SELECT CONCAT(schema_name,0x20),(SELECT (SELECT CONCAT(CHAR(107,109,114,111,108,97,115,114,106,104,109,114,101,105,100))))) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 6,1 ),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Risk The security risk of the remote SQL injection vulnerability is estimated as critical. Proof Of Concept Vulnerability can be exploited by a remote attacker without authentication.