CVE-2021-42258 PoC — BEQ BillQuick Web Suite SQL注入漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-42258.yaml

Associated Vulnerability

Title:BEQ BillQuick Web Suite SQL注入漏洞 (CVE-2021-42258)
Description:BEQ BillQuick Web Suite是美国BEQ公司的一个时间和计费系统。 BQE BillQuick Web Suite 存在SQL注入漏洞，该漏洞源于 BQE BillQuick Web Suite 2018 到 2021 允许 SQL 注入用于未经身份验证的远程代码执行，如 2021 年 10 月在野外被利用以安装勒索软件。例如，SQL 注入可以使用 txtID（又名用户名）参数。成功的利用可能包括通过 xp_cmdshell 以 MSSQLSERVER$ 形式执行任意代码的能力。

Description

BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp_cmdshell.

File Snapshot


 id: CVE-2021-42258

info:
  name: BillQuick Web Suite SQL Injection
  author: dwisiswant0
  severity

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!