Skip to content

thepiyushkumarshukla/CVE-2022-24707_AnukoTimeTracker_Version-1.20.0_POC

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 

Repository files navigation

CVE-2022-24707 Anuko Time Tracker SQL Injection Exploit

A security assessment tool that demonstrates a SQL injection vulnerability in Anuko Time Tracker's Version 1.20.0 puncher feature. This tool helps to Dump the whole tt_users Database and revels every single entry, If used as per following the simple instructions !

⚠️ Disclaimer

This tool is intended for:

  • Security research and education
  • Authorized penetration testing
  • Vulnerability demonstration in controlled environments

Unauthorized use against systems you don't own or have explicit permission to test is illegal.

🚀 Features

  • Automated Exploitation: Streamlined process from login to credential extraction
  • SQL Injection: Exploits time-based SQL injection in puncher feature
  • Credential Extraction: Retrieves all user credentials from database
  • Automatic Cleanup: Removes traces after exploitation
  • User-Friendly Interface: Clear output and progress indicators
  • Error Handling: Robust error management and user feedback

📋 Prerequisites

WEB-APPLICATION ( Your must able to find all below settings, just explore the Web-Application )

  • Version 1.20.0 Or less
  • Administrator Access is MUST Required
  • Users database name is tt_users ( which is default OR also can be changed in script )
  • Creat a group in Anuko Time Tracker, Via Login as ADMINISTRATOR
  • Now Re-Login as Group Manager in Anuko web-app
  • Now add a DEMO project as group manager in the group
  • Now ENABLE the Puncher plugin from the Plugin section
  • MAKE SURE TO SAVE ALL THE CHANGES !

INTERNAL

  • Python 3.6+
  • Required packages:
    pip install requests beautifulsoup4 lxml
    
    

📖 Usage

python3 anuko_exploit.py --host http://target.com --username user --password pass

Example

python3 anuko_exploit.py --host http://192.168.1.100/timetracker --username admin --password admin123

Arguments

Argument Description Required

--host Target URL (e.g., http://target.com/timetracker) Yes --username Valid username for authentication Yes --password Valid password for authentication Yes --help Show help message and usage examples No

About

No description, website, or topics provided.

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages