Petraware pTransformer ADC before 2.1.7.22827 allows SQL Injection via the User ID parameter to the login form.

Hi All,

Today I will share POC on vulnerability found during pentest.

As per the title, I recently found SQL Injection vulnerability on a thick client. 

To read more about thick client, click here : https://techterms.com/definition/thickclient

Thick clients, also called heavy clients, are full-featured computers that are connected to a network. While a thick client is fully functional without a network connection, it is only a "client" when it is connected to a server. The server may provide the thick client with programs and files that are not stored on the local machine's hard drive. 
  • Exploit Title:  Petraware pTransformer ADC before 2.1.7.22827 allows SQL Injection via the User ID parameter to the login form.
  • Details & Description: SQL injection is a vulnerability that allows an attacker to alter backend SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn't properly filter out dangerous characters.
  • Product Affected: pTransformer ADC
  • Attack Type: Local
  • Vulnerable Version: 2.0
  • Fixed Version: 2.1.7.22827
  • CVE IDCVE-2019-12372
The vulnerability was found on login form of the thick client. The vulnerable parameter is User ID. The application does not properly filter dangerous character such as single qoute (') resulting in the vulnerability.

Payload used: ' or '1'='1'--

Picture shows that injecting SQL statement into the login form

Picture shows that able to bypass login using the SQL statement

By using this vulnerability, I can bypass the login form and login as admin without giving any password. 


Big thanks to the vendor of the software Petraware Technologies which acted promptly to fixed the vulnerability upon receiving the report.

Credit: Special thanks to d3ck4 who helped me a lot on this matter.

Comments

Popular posts from this blog

My 1st ever CVE ID

Introduction