CVE-2023-29863: SQL Injection in WSDL file - Waad Ahmed - Medium

****Summary:****

While we were testing healthcare applications, we found an unauthenticated SQL injection vulnerability, an unauthenticated user can inject SQL payload within </tem:statement> parameter in WSDL file and retrieve the database information.

Vulnerability Details:

• Vendor: Medical Systems Co. — medisys
• Vulnerability: SQL injection
• Affected Version: Weblab Products — 19.4.03
• Vendor Homepage: https://www.amano.eu/en/
• CVE: CVE-2023–29863

Vulnerability Description:

A SQL Injection attack consists of the insertion or injection of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database, or cause a denial of service.

Vulnerability Implications:

An attacker can mount one or more of the following type of attacks successfully: 

• Reading, updating and deleting arbitrary data/tables from the database.
• Executing commands on the underlying operating system. 
• Cause a denial-of-service to the application.

Vulnerability Actions:

A very robust method for mitigating the threat of SQL injection-based vulnerabilities is to use parameterized queries (prepared statements).

Almost all modern languages provide built-in libraries for this. Wherever possible, do not create dynamic SQL queries or SQL queries with string concatenation.

CVE PoC:

1- Access WSDL file -> service +?WSDL

2- Parse WSDL using Burp and start manipulating the </tem:statement> parameter, you will receive a SQL error

3- Ijnect SQL payload in </tem:statement> parameter , for example check the Database version and type.

Acknowledgment:

I would like to thank Mahub alHarbi https://www.linkedin.com/in/k3l03/ for his support.

Thank you.

https://www.linkedin.com/in/waad-albayyali-0475a7160/

Saudi Information and Technology Company — SITE