Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote SQL-Injection-Bypass-Authentication

Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Validated
Validated

Description

Vulnerability Description:

The POMS-PHP (by: oretnom23 ) v1.0 is vulnerable from remote SQL-Injection-Bypass-Authentication for the admin account in app /purchase_order/classes/Login.php.
remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server, he can bypass the login credentials and take control of the admin account.

Add Assessment

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-nu11-09

Vulnerability Description:

The POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote SQL-Injection-Bypass-Authentication for the admin account in app /purchase_order/classes/Login.php.
remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server, he can bypass the login credentials and take control of the admin account.

Vulnerability PHP code:

	public function login(){
		extract($_POST);

		$qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') ");
		if($qry->num_rows > 0){
			foreach($qry->fetch_array() as $k => $v){
				if(!is_numeric($k) && $k != 'password'){
					$this->settings->set_userdata($k,$v);
				}

			}
			$this->settings->set_userdata('login_type',1);
		return json_encode(array('status'=>'success'));
		}else{
		return json_encode(array('status'=>'incorrect','last_qry'=>"SELECT * from users where username = '$username' and password = md5('$password') "));
		}
	}

Responding from the hacked target:

  • – – PoC + checks = PoC-CVE-nu11-09-rfth.py
C:\Users\venvaropt\Desktop\CVE-nu11-09-09092021>python PoC-CVE-nu11-09.py

DevTools listening on ws://127.0.0.1:63704/devtools/browser/bf18be59-2361-4c08-82dc-689957d5bf9e

The payload for CVE-nu11-09 is deployed and your admin account is PWNED by SQL - Injection

Please see the screenshot poc.png to see if your exploit is working =) BR **[**[@nu11secur1ty](/contributors/nu11secur1ty)**](/contributors/nu11secur1ty)**

This target gives a positive <Response [200]> from inside, after bypassing the login :D

C:\Users\venvaropt\Desktop\CVE-nu11-09-09092021>

Exploit technique:

Python + Selenium + hidden login && screenshot

Proof:

href

BR

General Information

Technical Analysis