A security assessment tool that demonstrates a SQL injection vulnerability in Anuko Time Tracker's Version 1.20.0 puncher feature. This tool helps to Dump the whole tt_users Database and revels every single entry, If used as per following the simple instructions !
This tool is intended for:
- Security research and education
- Authorized penetration testing
- Vulnerability demonstration in controlled environments
Unauthorized use against systems you don't own or have explicit permission to test is illegal.
- Automated Exploitation: Streamlined process from login to credential extraction
- SQL Injection: Exploits time-based SQL injection in puncher feature
- Credential Extraction: Retrieves all user credentials from database
- Automatic Cleanup: Removes traces after exploitation
- User-Friendly Interface: Clear output and progress indicators
- Error Handling: Robust error management and user feedback
- Version 1.20.0 Or less
- Administrator Access is MUST Required
- Users database name is
tt_users( which is default OR also can be changed in script ) - Creat a group in Anuko Time Tracker, Via Login as ADMINISTRATOR
- Now Re-Login as Group Manager in Anuko web-app
- Now add a DEMO project as group manager in the group
- Now ENABLE the
Puncherplugin from thePluginsection - MAKE SURE TO SAVE ALL THE CHANGES !
- Python 3.6+
- Required packages:
pip install requests beautifulsoup4 lxml
python3 anuko_exploit.py --host http://target.com --username user --password pass
python3 anuko_exploit.py --host http://192.168.1.100/timetracker --username admin --password admin123
Argument Description Required
--host Target URL (e.g., http://target.com/timetracker) Yes --username Valid username for authentication Yes --password Valid password for authentication Yes --help Show help message and usage examples No