Attacker Value

Very High

(1 user assessed)

Exploitability

Very High

(1 user assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

1

CVE-nu11-14-092121

Last updated September 21, 2021

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Execution

Techniques

Validation

Command and Scripting Interpreter: Python

Validated

Command and Scripting Interpreter: JavaScript/JScript

Validated

Exploitation for Client Execution

Validated

Description

The Simple Forum/Discussion System by (oretnom23) is vulnerable to remote SQL-Injection-Bypass-Authentication for the admin account in app admin_class.php. remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication. The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads. When the user will sending a malicious query or malicious payload to the MySQL server, he can bypass the login credentials and take control of the admin account.

Add Assessment

1

nu11secur1ty (198)

September 21, 2021 6:06am UTC (3 years ago)•

Ratings

Attacker Value

Very High

Exploitability

Very High

Easy to weaponize Gives privileged access Vulnerable in default configuration

Technical Analysis

CVE-nu11-14-092121

Description:

The Simple Forum/Discussion System by (oretnom23) is vulnerable to remote SQL-Injection-Bypass-Authentication for the admin account in app admin_class.php.
remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server, he can bypass the login credentials and take control of the admin account.

Vulnerable PHP part of code and all logic and architecture of the login form:


function login(){
		
			extract($_POST);		
			$qry = $this->db->query("SELECT * FROM users where username = '".$username."' and password = '".md5($password)."' ");
			if($qry->num_rows > 0){
				foreach ($qry->fetch_array() as $key => $value) {
					if($key != 'passwors' && !is_numeric($key))
						$_SESSION['login_'.$key] = $value;
				}
					return 1;
			}else{
				return 3;
			}
	}

Simple fix but not correct and strong =)


	function login(){
		
			extract($_POST);		
			$qry = $this->db->query("SELECT * FROM users where username = ('".$username."') and password = '".md5($password)."' ");
			if($qry->num_rows > 0){
				foreach ($qry->fetch_array() as $key => $value) {
					if($key != 'passwors' && !is_numeric($key))
						$_SESSION['login_'.$key] = $value;
				}
					return 1;
			}else{
				return 3;
			}
	}

REproduce:

Proof:

Log in to Add Reply

References

Exploit

The Simple Forum/Discussion System by (oretnom23) is vulnerable to remote SQL-Injection-Bypass-Authentication for the admin account in app admin_class.php. remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication. The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads. When the user will sending a malicious query or malicious payload to the MySQL server, he can bypass the login credentials and take control of the admin account. (https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/CVE-nu11-14-092121)

Rapid7

Technical Analysis