CVE-2017-17721
📋 TL;DR
This vulnerability allows SQL injection attacks in ZUUSE BEIMS ContractorWeb .NET through multiple parameters in the CWEBNET/WOSummary/List endpoint. Attackers can execute arbitrary SQL commands on the database. Organizations using the affected software version are at risk.
💻 Affected Systems
- ZUUSE BEIMS ContractorWeb .NET
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution on the database server.
Likely Case
Unauthorized access to sensitive contractor data, manipulation of work orders, and potential extraction of database credentials.
If Mitigated
Limited to attempted attacks that are blocked by input validation and parameterized queries.
🎯 Exploit Status
Multiple public exploit scripts and detailed write-ups are available. The vulnerability requires no authentication to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Later versions after 5.18.0.0
Vendor Advisory: Not publicly documented in available references
Restart Required: Yes
Instructions:
1. Contact ZUUSE for the latest patched version. 2. Backup the application and database. 3. Install the updated version. 4. Restart the application services. 5. Test functionality.
🔧 Temporary Workarounds
Web Application Firewall (WAF)
allDeploy a WAF with SQL injection rules to block malicious requests.
Input Validation Filter
windowsImplement input validation to reject suspicious characters in the vulnerable parameters.
🧯 If You Can't Patch
- Isolate the application behind a reverse proxy with strict input filtering
- Implement network segmentation to limit database access from the application server
🔍 How to Verify
Check if Vulnerable:
Test the CWEBNET/WOSummary/List endpoint with SQL injection payloads in the vulnerable parameters (tradestatus, assetno, etc.).Check Version:
Check the application version in the web interface or configuration files.Verify Fix Applied:
Verify that SQL injection attempts no longer succeed and that parameterized queries are implemented.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in application logs
- Multiple requests with SQL keywords in parameters
- Requests to CWEBNET/WOSummary/List with suspicious parameter values
Network Indicators:
- HTTP requests containing SQL injection patterns in query parameters
- Unusual database query patterns from the application server
SIEM Query:
source="web_logs" AND uri="/CWEBNET/WOSummary/List" AND (param="tradestatus" OR param="assetno" OR param="assignto" OR param="building" OR param="domain" OR param="jobtype" OR param="site" OR param="trade" OR param="woType" OR param="workorderno" OR param="workorderstatus") AND (content="' OR " OR content="UNION" OR content="SELECT" OR content="INSERT" OR content="UPDATE" OR content="DELETE")🔗 References
- https://0day.today/exploit/29277
- https://becomepentester.blogspot.com/2017/12/ZUUSE-BEIMS-ContractorWeb-SQLInjection-CVE-2017-17721.html
- https://cxsecurity.com/issue/WLB-2017120155
- https://packetstormsecurity.com/files/145511/BEIMS-ContractorWeb-5.18.0.0-SQL-Injection.html
- https://www.cyber-security.ro/blog/2017/12/20/beims-contractorweb-5-18-0-0-sql-injection/
- https://www.exploit-db.com/exploits/43379/
- https://0day.today/exploit/29277
- https://becomepentester.blogspot.com/2017/12/ZUUSE-BEIMS-ContractorWeb-SQLInjection-CVE-2017-17721.html
- https://cxsecurity.com/issue/WLB-2017120155
- https://packetstormsecurity.com/files/145511/BEIMS-ContractorWeb-5.18.0.0-SQL-Injection.html
- https://www.cyber-security.ro/blog/2017/12/20/beims-contractorweb-5-18-0-0-sql-injection/
- https://www.exploit-db.com/exploits/43379/
