Attacker Value

Very High

1

Ship Ferry Ticket Reservation System v1.0 SQL-Injection-Bypass-Authentication

1

Attacker Value

Very High

(1 user assessed)

Exploitability

Very High

(1 user assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

1

Ship Ferry Ticket Reservation System v1.0 SQL-Injection-Bypass-Authentication

Last updated August 31, 2021

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Execution

Techniques

Validation

Command and Scripting Interpreter: Python

Validated

Command and Scripting Interpreter: JavaScript/JScript

Validated

Exploitation for Client Execution

Validated

Description

Description:
The Ship/Ferry Ticket Reservation System v1.0 is vulnerable in the application /ship_ticketing/classes/Login.php from SQL-Injection-Bypass-Authentication. The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads. When the user will sending a malicious query or malicious payload to the MySQL server he can bypass the login credentials and take control of the administer account.

Add Assessment

2

nu11secur1ty (198)

August 31, 2021 2:31pm UTC (3 years ago)•Edited 3 years ago

Ratings

Attacker Value

Very High

Exploitability

Very High

Easy to weaponize Gives privileged access Vulnerable in default configuration

Technical Analysis

Ship Ferry Ticket Reservation System `v1.0`

Vendor

Description:

The Ship/Ferry Ticket Reservation System v1.0 is vulnerable in the application /ship_ticketing/classes/Login.php from SQL-Injection-Bypass-Authentication.
The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server he can bypass the login credentials and take control of the administer account.

Broken structure:

	public function login(){
		extract($_POST);

		$qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') ");
		if($qry->num_rows > 0){
			foreach($qry->fetch_array() as $k => $v){
				if(!is_numeric($k) && $k != 'password'){
					$this->settings->set_userdata($k,$v);
				}

			}

Simple fix, but not enough `strong`!!!:

	public function login(){
		extract($_POST);

		$qry = $this->conn->query("SELECT * from users where username = ('$username') and password = md5('$password') ");
		if($qry->num_rows > 0){
			foreach($qry->fetch_array() as $k => $v){
				if(!is_numeric($k) && $k != 'password'){
					$this->settings->set_userdata($k,$v);
				}

			}

Proof:

BR

[+] @nu11secur1ty

Log in to Add Reply

References

Exploit

Description: The Ship/Ferry Ticket Reservation System v1.0 is vulnerable in the application /ship_ticketing/classes/Login.php from SQL-Injection-Bypass-Authentication. The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads. When the user will sending a malicious query or malicious payload to the MySQL server he can bypass the login credentials and take control of the administer account. (https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/CVE-nu11-02)

Rapid7

Technical Analysis