.png)
9 months ago
81 BOOK THIS SPACE FOR AD
ARTICLE AD
Hey everyone, we have a special thing today, our founder, aka Jbr ALOTaibi discovered a new SQLi in the software of this CVE “CVE-2024–24142”.
the test was internal and during the test jbr was playing with the parameters until he noticed an sql error in delete-task file.
lets cut to the chase
The vulnerable parameter in the software is the “task” parameter. It is utilized to establish a connection with the database and subsequently delete a task identified by its task ID, so Jbr tried to inject a single quote to see the SQL Error and it was a successful injection.
When Jbr dropped the quote bomb, it lit up like a meme: SQL syntax error! After delving into the 40-line source code, we identified the vulnerable part. (this part is hilarious sorry.)
and this is the DAMN part.
as you see it deletes the task by its id via task parameter.
so jbr wrote a poc to exploit this vulnerability & calculate a CVSS.
this is the full GIF video of exploitation.
and the CVSS Score is 9.8 (10.0 by mistake during the calculation)
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
thanks for reading
check out Jbr Socials:
https://www.instagram.com/a7xy/
bye bye.
Bengali (Bangladesh) · 
English (United States) ·