Bacula-Web Time-Based SQL Injection Vulnerability
漏洞信息
漏洞名称: Bacula-Web Time-Based SQL Injection Vulnerability
漏洞编号:
- CVE: CVE-2025-45346
漏洞类型: SQL注入
漏洞等级: 高危
漏洞描述: Bacula-Web是一个用于管理和监控Bacula备份系统的Web界面,广泛应用于企业环境中,以便于管理员通过图形界面轻松管理备份任务。此次发现的漏洞影响支持PostgreSQL后端的Bacula-Web版本。该漏洞为时间盲注SQL注入漏洞,存在于jobfiles端点中,攻击者可以利用此漏洞通过pg_sleep()函数触发故意延迟,从而从PostgreSQL数据库中提取信息,包括数据库版本。这种漏洞的技术根源在于后端逻辑中缺乏对用户输入的充分验证,导致恶意构造的SQL语句被执行。由于此漏洞允许远程攻击者执行任意SQL命令并泄露敏感信息,其安全风险被评估为高危。攻击者无需认证即可利用此漏洞,且可以通过自动化工具进行利用,可能导致数据泄露、系统信任度下降等严重后果。建议管理员对jobfiles路由实施输入验证,使用参数化查询,并升级到最新修补版本以缓解此漏洞。
产品厂商: Bacula-Web
产品名称: Bacula-Web
影响版本: Confirmed in versions supporting PostgreSQL backend
来源: https://github.com/0xsu3ks/CVE-2025-45346
类型: CVE-2025:github search
仓库文件
- README.md
- cve-2025-45346.py
来源概述
CVE-2025-45346 – Bacula-Web Time-Based SQL Injection (PostgreSQL Version Extraction)
📝 Overview
Vulnerability Title: Time-Based Blind SQL Injection in Bacula-Web
Product: Bacula-Web
Versions Affected: Confirmed in versions supporting PostgreSQL backend
CVE ID: CVE-2025-45346
Severity: High
Attack Vector: Remote
Impact: Arbitrary SQL Execution, Information Disclosure
🧨 Description
This proof-of-concept (PoC) demonstrates a time-based blind SQL injection vulnerability in the jobfiles endpoint of Bacula-Web.
A remote attacker can leverage this flaw to extract information from the underlying PostgreSQL database — including the database version — by triggering deliberate delays using the pg_sleep() function.
🚀 Features
- Confirms presence of SQL injection via time delay test
- Automatically extracts PostgreSQL version character-by-character
- Utilizes URL-encoded payloads for precision
- Prints live progress during version extraction
📌 Usage
⚙️ Requirements
- Python 3.x
requestslibrary (pip install requests)
🔧 Configuration
Edit the script and set:
1 | |
Replace:
base_urlwith your Bacula-Web target URLREPLACEMEwith your valid Bacula-Web session cookie
🏃 Run the Script
1 | |
🧾 Exploit Workflow
- Sends a benign SQL payload with
pg_sleep(2)to verify injection. - If the server response takes ~2s, the script proceeds to extract the version.
- It loops through positions in the PostgreSQL version string using
SUBSTRING()and compares characters one-by-one. - Delay-based detection identifies the correct character.
🔐 Impact
- Exposes sensitive database information to remote attackers
- May be leveraged to chain into further SQL-based exploitation
- Undermines trust in the web interface for backup job visibility
🛡️ Mitigation
- Apply input validation on the
jobfilesroute - Use parameterized queries in backend logic
- Upgrade Bacula-Web to the latest patched version (once available)
👨💻 Discoverer
Security Researcher – Kevin Suckiel – 0xsu3ks
PoC for CVE-2025-45346 disclosed via responsible disclosure.
⚠️ Legal Notice
This tool is provided for authorized testing and research purposes only.
The author is not responsible for any unauthorized use or misuse of this PoC.