cbcvebase.
CVE-2022-24707
published 2022-02-24

CVE-2022-24707: Anuko Time Tracker is an open source, web-based time tracking application written in PHP. UNION SQL injection and time-based blind injection vulnerabilities…

PriorityP265high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
7.16%
93.5th percentile
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. UNION SQL injection and time-based blind injection vulnerabilities existed in Time Tracker Puncher plugin in versions of anuko timetracker prior to 1.20.0.5642. This was happening because the Puncher plugin was reusing code from other places and was relying on an unsanitized date parameter in POST requests. Because the parameter was not checked, it was possible to craft POST requests with malicious SQL for Time Tracker database. This issue has been resolved in in version 1.20.0.5642. Users unable to upgrade are advised to add their own checks to input.

Affected

2 ranges
VendorProductVersion rangeFixed in
anukotime_tracker< 1.20.0.56421.20.0.5642
anukotimetracker< 1.20.0.56421.20.0.5642

Detection & IOCsextracted from sources · hover to see the quote

url/puncher.php
commanddate={year}-{month}-{day}', comment=((SELECT group_concat(table_name) FROM information_schema.tables WHERE table_schema=database())), date='{year}-{month}-{day}
commandSELECT group_concat(table_name) FROM information_schema.tables WHERE table_schema=database()
path/puncher.php
path/login.php
path/time_edit.php
path/time_delete.php
versionAnuko Time Tracker 1.20.0.5640
  • Monitor POST requests to /puncher.php for a 'date' parameter containing SQL metacharacters such as single quotes, comment sequences (--), or SQL keywords (SELECT, FROM, WHERE, group_concat, information_schema).
  • Alert on POST /puncher.php requests where the 'date' POST body parameter contains patterns matching UNION-based or time-based blind SQLi payloads (e.g., UNION SELECT, SLEEP(), BENCHMARK(), or comment injection via ', comment=((...))).
  • Inspect the 'date' POST parameter for the specific injection pattern: a valid date string followed by a single quote and SQL assignment syntax, e.g., YYYY-M-D', comment=((…)), date='YYYY-M-D
  • After a successful SQLi stop request, the attacker retrieves exfiltrated data via GET /time_edit.php?id=<id> by reading the 'note' textarea field. Correlate POST /puncher.php (btn_stop) with a subsequent GET /time_edit.php for the same session.
  • ·Exploitation requires the Puncher plugin to be enabled in the Anuko Time Tracker instance. If the plugin is disabled, the vulnerable endpoint /puncher.php returns 'Feature is disabled' and the attack path does not exist.
  • ·Exploitation is authenticated — the attacker must have valid credentials to the Anuko Time Tracker application before the SQLi can be triggered.
  • ·The vulnerability is fixed in version 1.20.0.5642. Instances running versions prior to 1.20.0.5642 are affected.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.