Petraware pTransformer ADC SQL Injection

Petraware pTransformer ADC versions prior to suffer from a remote SQL injection vulnerability that allows for login bypass.

MD5 | fdacd40b7f995ee16e885b9b75ab2e78

# Exploit Title: Petraware pTransformer ADC before allows SQL
Injection via the User ID parameter to the login form.
# Date: 28-05-2019
# Exploit Author: Faudhzan Rahman
# Website:
# Vendor Homepage:
# Version: 2.0
# CVE : CVE-2019-12372
# Tested on: Windows 10 Pro


The login form on pTransformer ADC does not filter dangerous character such
as single quote ('). This has cause the application to be vulnerable to SQL


The vulnerable parameter is User ID. By injecting ' or '1'='1'-- ,it will
bypass the login form.


Related Posts