The ‘uname’ parameter of the login.jsp page for “Quicklert for Digium Switchvox Version 10 Build 1043” is affected by both a blind SQL injection with out-of-band interaction and a time-based SQL injection. The exploitation of this vulnerability requires no prior authentication and results in the complete compromise of confidentiality, integrity, and availability of the underlying SQL database.
We first escaped the value entered in the ‘uname’ parameter on the login.jsp page to inject code which called back to a DNS server under our control (Burp Collaborator in this case) utilizing the MSSQL function “master.xp_dirtree”, which lists directory contents by default. The DNS server will not be found in a local directory and will result in the server making a request to our DNS server in an attempt to find that address for the master.xp_dirtree function. Note: If you attempt to recreate this exploit, you will need to URL encode the SQL statements as seen in the screenshots below.
Figure 1: Generic Out of Band SQL Injection with DNS Interaction to Burp Collaborator
After validating that we were receiving DNS requests from the vulnerable server, it was possible to continue using the “master.xp_dirtree” function to exfiltrate data from the server including the database name, admin username, etc., by altering the above command slightly. See the example below where we retrieved the DB_NAME value by adding that additional argument:
Figure 2: Obtain DB_NAME value via Out of Band SQL Injection with DNS Interaction to Burp Collaborator
We can see that the DB_NAME value for Quicklert (‘NIPA’ by default) is prepended to the DNS query that we received in the Burp Collaborator tool:
Figure 3: DB_Name value “NIPA” Prepended to DNS Request in Burp Collaborator
We could have continued this process of retrieving data piece by piece from the database through Burp Suite but there is a limitation to the string size which can be retrieved through these types of DNS queries. This led us to utilize time-based SQL injections which use a SLEEP statement to determine when a value does or does not exist based on how long the server takes to respond to a query. This is easily automated using SQLmap.py by saving the Burp Suite request to a file and then using the following command