Attacker Value

Very High

eLearning V2(by: oretnom23) is vulnerable from remote SQL-Injection-Bypass-Authentication

Attacker Value

Very High

(1 user assessed)

Exploitability

Very High

(1 user assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

eLearning V2(by: oretnom23) is vulnerable from remote SQL-Injection-Bypass-Authentication

Last updated September 06, 2021

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Execution

Techniques

Validation

Command and Scripting Interpreter: Windows Command Shell

Validated

Command and Scripting Interpreter: Python

Validated

Command and Scripting Interpreter: JavaScript/JScript

Validated

Exploitation for Client Execution

Validated

Description

Description:

The eLearning V2(by: oretnom23) is vulnerable from remote SQL-Injection-Bypass-Authentication in 3 accounts of the system (admin, Faculty & Student) in app /elearning/classes/Login.php. remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication. The parameter (username, faculty_id, and student_id) from the login form is not protected correctly and there is no security and escaping from malicious payloads. When the user will sending a malicious query or malicious payload to the MySQL server for those three accounts, he can bypass the login credentials and take control of these accounts.

Add Assessment

nu11secur1ty (195)

September 06, 2021 10:08am UTC (2 years ago)•

Ratings

Attacker Value

Very High

Exploitability

Very High

Easy to weaponize Gives privileged access Vulnerable in default configuration Authenticated

Technical Analysis

CVE-nu11-07

VENDOR

– – ## eLearning V2(by: oretnom23) is vulnerable from remote SQL-Injection-Bypass-Authentication

Description:

The eLearning V2(by: oretnom23) is vulnerable from remote SQL-Injection-Bypass-Authentication in 3 accounts of the system (admin, Faculty & Student) in app /elearning/classes/Login.php.
remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
The parameter (username, faculty_id, and student_id) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server for those three accounts, he can bypass the login credentials and take control of these accounts.

– – Vulnerable PHP app code in /elearning/classes/Login.php

	public function login(){
		extract($_POST);

		$qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') ");
		if($qry->num_rows > 0){
			foreach($qry->fetch_array() as $k => $v){
				if(!is_numeric($k) && $k != 'password'){
					$this->settings->set_userdata($k,$v);
				}

			}
			$this->settings->set_userdata('login_type',1);
		$sy = $this->conn->query("SELECT * FROM academic_year where status = 1");
		foreach($sy->fetch_array() as $k =>$v){
			if(!is_numeric($k)){
			$this->settings->set_userdata('academic_'.$k,$v);
			}
		}
		return json_encode(array('status'=>'success'));
		}else{
		return json_encode(array('status'=>'incorrect','last_qry'=>"SELECT * from users where username = '$username' and password = md5('$password') "));
		}
	}
	public function flogin(){
		extract($_POST);

		$qry = $this->conn->query("SELECT * from faculty where  faculty_id = '$faculty_id' and `password` = '".md5($password)."' ");
		if($qry->num_rows > 0){
			foreach($qry->fetch_array() as $k => $v){
				if(!is_numeric($k)){
					$this->settings->set_userdata($k,$v);
				}

			}
			$this->settings->set_userdata('login_type',2);
			$sy = $this->conn->query("SELECT * FROM academic_year where status = 1");
		foreach($sy->fetch_array() as $k =>$v){
			if(!is_numeric($k)){
			$this->settings->set_userdata('academic_'.$k,$v);
			}
		}
			return json_encode(array('status'=>'success'));
		}else{
		return json_encode(array('status'=>'incorrect'));
		}
	}
	public function slogin(){
		extract($_POST);

		$qry = $this->conn->query("SELECT * from students where  student_id = '$student_id' and `password` = '".md5($password)."' ");
		if($qry->num_rows > 0){
			foreach($qry->fetch_array() as $k => $v){
				if(!is_numeric($k)){
					$this->settings->set_userdata($k,$v);
				}

			}

CONCLUSION:

This vendor must STOP creating all these broken projects and vulnerable software programs, probably he is not a developer!
[+] by @nu11secur1ty System Administrator – Infrastructure and Penetration Testing Engineer

Reproduce:

https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/CVE-nu11-07

Proof:

href

BR

@nu11secur1ty

References

Exploit

The following exploit POCs have not been verified by Rapid7 researchers, but are sourced from: nomi-sec/PoC-in-GitHub.
Additional sources will be added here as they become relevant.
Notes: We will only add the top 3 POCs for a given CVE. POCs added here must have at least 2 GitHub stars.

Description: The eLearning V2(by: oretnom23) is vulnerable from remote SQL-Injection-Bypass-Authentication in 3 accounts of the system (admin, Faculty & Student) in app /elearning/classes/Login.php. remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication. The parameter (username, faculty_id, and student_id) from the login form is not protected correctly and there is no security and escaping from malicious payloads. When the user will sending a malicious query or malicious payload to the MySQL server for those three accounts, he can bypass the login credentials and take control of these accounts. (https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/CVE-nu11-07)

Rapid7

Very High