Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2022-24707 PoC — SQL injection in anuko timetracker

Source
https://github.com/thepiyushkumarshukla/CVE-2022-24707_AnukoTimeTracker_Version-1.20.0_POC
Associated Vulnerability
Title:SQL injection in anuko timetracker (CVE-2022-24707)
Description:Anuko Time Tracker is an open source, web-based time tracking application written in PHP. UNION SQL injection and time-based blind injection vulnerabilities existed in Time Tracker Puncher plugin in versions of anuko timetracker prior to 1.20.0.5642. This was happening because the Puncher plugin was reusing code from other places and was relying on an unsanitized date parameter in POST requests. Because the parameter was not checked, it was possible to craft POST requests with malicious SQL for Time Tracker database. This issue has been resolved in in version 1.20.0.5642. Users unable to upgrade are advised to add their own checks to input.
Readme
# CVE-2022-24707 Anuko Time Tracker SQL Injection Exploit

A security assessment tool that demonstrates a SQL injection vulnerability in Anuko Time Tracker's Version 1.20.0 puncher feature. This tool helps to Dump the whole ```tt_users``` Database and revels every single entry, If used as per following the simple instructions !

## ⚠️ Disclaimer

This tool is intended for:
- Security research and education
- Authorized penetration testing
- Vulnerability demonstration in controlled environments

**Unauthorized use against systems you don't own or have explicit permission to test is illegal.**

## 🚀 Features

- **Automated Exploitation**: Streamlined process from login to credential extraction
- **SQL Injection**: Exploits time-based SQL injection in puncher feature
- **Credential Extraction**: Retrieves all user credentials from database
- **Automatic Cleanup**: Removes traces after exploitation
- **User-Friendly Interface**: Clear output and progress indicators
- **Error Handling**: Robust error management and user feedback

## 📋 Prerequisites

WEB-APPLICATION ( Your must able to find all below settings, just explore the Web-Application )
--------------------------------------
- Version 1.20.0 Or less
- Administrator Access is MUST Required
- Users database name is ```tt_users``` ( which is default OR also can be changed in script )
- Creat a group in Anuko Time Tracker, Via Login as ADMINISTRATOR
- Now Re-Login as Group Manager in Anuko web-app
- Now add a DEMO project as group manager in the group
- Now ENABLE the ```Puncher``` plugin from the ```Plugin``` section
- MAKE SURE TO SAVE ALL THE CHANGES !

INTERNAL
------------------------------------
- Python 3.6+
- Required packages:
  ```bash
  pip install requests beautifulsoup4 lxml


## 📖 Usage
```python3 anuko_exploit.py --host http://target.com --username user --password pass```

## Example
```python3 anuko_exploit.py --host http://192.168.1.100/timetracker --username admin --password admin123```

## Arguments

Argument	Description	Required

--host	Target URL (e.g., http://target.com/timetracker)	Yes
--username	Valid username for authentication	Yes
--password	Valid password for authentication	Yes
--help	Show help message and usage examples	No
File Snapshot

 [4.0K]  /data/pocs/8873f417197b72bd767ab1ed93029e5869e29c40
├── [ 11K]  anuko_exploit.py
└── [2.2K]  README.md

1 directory, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →