Lucene search

K

ABB Cylon Aspect 3.08.03 (CookieDB) SQL Injection

šŸ—“ļøĀ 06 Jan 2025Ā 00:00:00Reported byĀ Gjoko KrsticTypeĀ 
zeroscience
Ā zeroscience
šŸ”—Ā zeroscience.mkšŸ‘Ā 276Ā Views

ABB Cylon Aspect 3.08.03 has SQL injection vulnerabilities allowing unauthorized data access.

Show more
Code
<html><body><p>ABB Cylon Aspect 3.08.03 (CookieDB) SQL Injection


Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
                  Firmware: &lt;=3.08.03

Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.

Desc: The ABB BMS/BAS controller suffers from an SQL injection through the
key and user parameters. These inputs are not properly sanitized and do not
utilize stored procedures, allowing attackers to manipulate SQL queries and
potentially gain unauthorized access to the database or execute arbitrary SQL
commands.

Tested on: GNU/Linux 3.15.10 (armv7l)
           GNU/Linux 3.10.0 (x86_64)
           GNU/Linux 2.6.32 (x86_64)
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
           PHP/7.3.11
           PHP/5.6.30
           PHP/5.4.16
           PHP/4.4.8
           PHP/5.3.3
           AspectFT Automation Application Server
           lighttpd/1.4.32
           lighttpd/1.4.18
           Apache/2.2.15 (CentOS)
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
           ErgoTech MIX Deployment Server 2.0.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2025-5900
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5900.php


21.04.2024

--


$ cat project

                 P   R   O   J   E   C   T

                        .|
                        | |
                        |'|            ._____
                ___    |  |            |.   |' .---"|
        _    .-'   '-. |  |     .--'|  ||   | _|    |
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |
     |' | |.    |    ||       | |   |  |    ||      |
 ____|  '-'     '    ""       '-'   '-.'    '`      |____
ā–‘ā–’ā–“ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–“ā–’ā–‘ ā–‘ā–’ā–“ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–“ā–’ā–‘  
ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ 
ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ 
ā–‘ā–’ā–“ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ 
ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ 
ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ 
ā–‘ā–’ā–“ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘                                                            
         ā–‘ā–’ā–“ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–“ā–’ā–‘ ā–‘ā–’ā–“ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–“ā–’ā–‘ 
         ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–‘ā–‘ā–‘ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘
         ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–‘ā–‘ā–‘ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–‘ā–‘ā–‘ā–‘ā–‘ 
         ā–‘ā–’ā–“ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–’ā–“ā–ˆā–ˆā–ˆā–“ā–’ā–‘
         ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–‘ā–‘ā–‘ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘
         ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–‘ā–‘ā–‘ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘
         ā–‘ā–’ā–“ā–ˆā–“ā–’ā–‘ā–‘ā–‘ā–‘ā–‘ā–‘ā–‘ā–‘ā–’ā–“ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–“ā–’ā–‘ ā–‘ā–’ā–“ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–“ā–’ā–‘                                               
                                                                                                               

$ ./sqli.py -2 CookieDb.java
removeUserCookie()  -&gt; DELETE FROM Cookies WHERE Key=\"" + key + "\"" + " AND " + "User" + "=\"" + user + "\"";
getAllUserCookies() -&gt; SELECT * FROM Cookies WHERE User=\"" + user + "\"";</p></body></html>

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. ContactĀ us for a demo andĀ discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo