cbcvebase.
CVE-2021-30175
published 2021-04-13

CVE-2021-30175: ZEROF Web Server 1.0 (April 2021) allows SQL Injection via the /HandleEvent endpoint for the login page.

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
8.55%
94.4th percentile
ZEROF Web Server 1.0 (April 2021) allows SQL Injection via the /HandleEvent endpoint for the login page.

Affected

1 ranges
VendorProductVersion rangeFixed in
zerofweb_server

Detection & IOCsextracted from sources · hover to see the quote

url/HandleEvent
path/HandleEvent
commandAjax=1&IsEvent=1&Obj=O4F&Evt=click&this=O4F&"_fp_=_S_ID={{s_id}}&O33=%020%02%02'&O37=%020%02%02fff"&_seq_=2&_uo_=O
otherYou have an error in your SQL syntax
  • Identify ZEROF Web Server 1.0 instances by checking the root HTTP response body for the strings '_S_ID' and 'ZEROF Web Server' with HTTP 200 status.
  • Extract the session ID token from the JavaScript variable pattern '_S_ID="_S_ID=(.*?)";' in the root page response for use in the SQLi payload.
  • Confirm successful SQL injection exploitation by detecting the error string 'You have an error in your SQL syntax' in the HTTP response body, combined with a 'ZEROF' header and HTTP 200 status.
  • The attack targets the POST /HandleEvent endpoint with Content-Type application/x-www-form-urlencoded, injecting a single-quote via the O33 parameter (%020%02%02') to trigger SQL errors.
  • Use the Shodan query cpe:"cpe:2.3:a:google:web_server" (as noted in the template metadata) to discover exposed ZEROF Web Server instances for proactive scanning.
  • ·The Shodan query in the Nuclei template metadata references 'cpe:2.3:a:google:web_server' instead of the correct ZEROF CPE 'cpe:2.3:a:zerof:web_server:1.0', which may produce inaccurate search results.
  • ·The Nuclei template uses a two-step flow (http(1) && http(2)): the first request fingerprints the server and extracts the session ID, and only then does the second request deliver the SQLi payload. Both steps must succeed for a positive detection.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.