Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

Ship Ferry Ticket Reservation System v1.0 SQL-Injection-Bypass-Authentication

Last updated August 31, 2021
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Validated
Validated

Description

Description:
The Ship/Ferry Ticket Reservation System v1.0 is vulnerable in the application /ship_ticketing/classes/Login.php from SQL-Injection-Bypass-Authentication. The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads. When the user will sending a malicious query or malicious payload to the MySQL server he can bypass the login credentials and take control of the administer account.

Add Assessment

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Ship Ferry Ticket Reservation System v1.0

Vendor

Description:

The Ship/Ferry Ticket Reservation System v1.0 is vulnerable in the application /ship_ticketing/classes/Login.php from SQL-Injection-Bypass-Authentication.
The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server he can bypass the login credentials and take control of the administer account.

Broken structure:

	public function login(){
		extract($_POST);

		$qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') ");
		if($qry->num_rows > 0){
			foreach($qry->fetch_array() as $k => $v){
				if(!is_numeric($k) && $k != 'password'){
					$this->settings->set_userdata($k,$v);
				}

			}

Simple fix, but not enough strong!!!:

	public function login(){
		extract($_POST);

		$qry = $this->conn->query("SELECT * from users where username = ('$username') and password = md5('$password') ");
		if($qry->num_rows > 0){
			foreach($qry->fetch_array() as $k => $v){
				if(!is_numeric($k) && $k != 'password'){
					$this->settings->set_userdata($k,$v);
				}

			}

Proof:

href

BR

[+] @nu11secur1ty

General Information

Technical Analysis