SQL Injection in WSDL file
Summary:
While we were testing healthcare applications, we found an unauthenticated SQL injection vulnerability, an unauthenticated user can inject SQL payload within </tem:statement> parameter in WSDL file and retrieve the database information.
Vulnerability Details:
- Vendor: Medical Systems Co. — medisys
- Vulnerability: SQL injection
- Affected Version: Weblab Products — 19.4.03
- Vendor Homepage: https://www.amano.eu/en/
- CVE: CVE-2023–29863
Vulnerability Description:
A SQL Injection attack consists of the insertion or injection of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database, or cause a denial of service.
Vulnerability Implications:
An attacker can mount one or more of the following type of attacks successfully:
- Reading, updating and deleting arbitrary data/tables from the database.
- Executing commands on the underlying operating system.
- Cause a denial-of-service to the application.
Vulnerability Actions:
A very robust method for mitigating the threat of SQL injection-based vulnerabilities is to use parameterized queries (prepared statements).
Almost all modern languages provide built-in libraries for this. Wherever possible, do not create dynamic SQL queries or SQL queries with string concatenation.
CVE PoC:
1- Access WSDL file -> service +?WSDL
2- Parse WSDL using Burp and start manipulating the </tem:statement> parameter, you will receive a SQL error
3- Ijnect SQL payload in </tem:statement> parameter , for example check the Database version and type.
Acknowledgment:
I would like to thank Mahub alHarbi https://www.linkedin.com/in/k3l03/ for his support.
Thank you.
https://www.linkedin.com/in/waad-albayyali-0475a7160/
Saudi Information and Technology Company — SITE