Blueprint LMS Blind SQL Injection

Overview SilentGrid identified an unauthenticated time-based blind SQL injection in Global Vision Media's Blueprint Learning Management System (LMS). Blueprint LMS is a fork of Chamilo LMS, with the addition of a SCORM engine and custom functions. The injection is blind in the sense that the application response does not provide output from the backend database. The primary indicators of a blind SQL injection vulnerability then comes down to determining valid SQL statements containing True or F

Story From The Trenches: Junction Bug Elevation

It is nice when random things come together to give you a novel attack during an engagement, especially when it starts to feel like the environment is completely sterile. Recently we had set ourselves the goal of elevating privileges on a laptop not too far removed from its original imaging. We did have some credentials for a low privilege domain account so there are some evergreen approaches that can be considered... but that's not what this post is about. The endpoint was also running Airloc


CVE-2021-37749 - Hexagon GeoMedia WebMap 2020 Blind SQL Injection

Overview SilentGrid identified a blind SQL injection vulnerability in Hexagon's GeoMedia WebMap 2020 solution. This vulnerability can be exploited by unauthenticated attackers to interfere with the SQL query the application is using to interact with the backend database. While a hotfix is available, due to lack of response from the vendor, SilentGrid cannot confirm if the patch is implemented in the latest GeoMedia WebMap 2020 Update 2. Technical Details The “Id” parameter within the "sourceIt