CVE-2021-30175
published 2021-04-13CVE-2021-30175: ZEROF Web Server 1.0 (April 2021) allows SQL Injection via the /HandleEvent endpoint for the login page.
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
8.55%
94.4th percentile
ZEROF Web Server 1.0 (April 2021) allows SQL Injection via the /HandleEvent endpoint for the login page.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zerof | web_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandAjax=1&IsEvent=1&Obj=O4F&Evt=click&this=O4F&"_fp_=_S_ID={{s_id}}&O33=%020%02%02'&O37=%020%02%02fff"&_seq_=2&_uo_=O↗
- →Identify ZEROF Web Server 1.0 instances by checking the root HTTP response body for the strings '_S_ID' and 'ZEROF Web Server' with HTTP 200 status. ↗
- →Extract the session ID token from the JavaScript variable pattern '_S_ID="_S_ID=(.*?)";' in the root page response for use in the SQLi payload. ↗
- →Confirm successful SQL injection exploitation by detecting the error string 'You have an error in your SQL syntax' in the HTTP response body, combined with a 'ZEROF' header and HTTP 200 status. ↗
- →The attack targets the POST /HandleEvent endpoint with Content-Type application/x-www-form-urlencoded, injecting a single-quote via the O33 parameter (%020%02%02') to trigger SQL errors. ↗
- →Use the Shodan query cpe:"cpe:2.3:a:google:web_server" (as noted in the template metadata) to discover exposed ZEROF Web Server instances for proactive scanning. ↗
- ·The Shodan query in the Nuclei template metadata references 'cpe:2.3:a:google:web_server' instead of the correct ZEROF CPE 'cpe:2.3:a:zerof:web_server:1.0', which may produce inaccurate search results. ↗
- ·The Nuclei template uses a two-step flow (http(1) && http(2)): the first request fingerprints the server and extracts the session ID, and only then does the second request deliver the SQLi payload. Both steps must succeed for a positive detection. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
ZEROF Web Server 1.0 - SQL Injection
nuclei·CVSS 9.8
CVE-2021-30175 [CRITICAL] ZEROF Web Server 1.0 - SQL Injection
ZEROF Web Server 1.0 - SQL Injection
ZEROF Web Server 1.0 (April 2021) allows SQL Injection via the /HandleEvent endpoint for the login page.
Template:
id: CVE-2021-30175
info:
name: ZEROF Web Server 1.0 - SQL Injection
author: edoardottt
severity: critical
description: |
ZEROF Web Server 1.0 (April 2021) allows SQL Injection via the /HandleEvent endpoint for the login page.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
remediation: |
Apply the latest security patches or updates provided by the vendor to fix the SQL Injection vulnerability in ZEROF Web Server 1.0.
reference:
- https://github.com/awillix/research/blob/main/cve/CVE-2021-30175
No writeups or analysis indexed.
2021-04-13
Published