Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

AHSS-PHP (by: oretnom23 ) v1.0 is vulnerable in the application /scheduler/classes/Login.php to remote SQL-Injection-Bypass-Authentication + XSS-Stored Hijacking PHPSESSID

Last updated September 15, 2021
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Validated

Description

Description:

The AHSS-PHP (by: oretnom23 ) v1.0 is vulnerable in the application /scheduler/classes/Login.php to remote SQL-Injection-Bypass-Authentication + XSS-Stored Hijacking PHPSESSID

  • m0re info: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
    The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
    When the user will sending a malicious query or malicious payload to the MySQL server he can bypass the login credentials and take control of the administer account.
  1. XSS – Stored PHPSESSID Vulnerable
  • The vulnerable XSS app: is “manage_assembly”, parameters: “room_name” “location” and “description”
    After the successful SQL injection, the malicious user can be storing an XSS payload whit who can take the
    active PHPSESSID session.
  1. remote PHPSESSID – Injection
  • After the successful XSS attack the malicious user can take control of the administrative account of the system from everywhere
    by using the PHPSESSID, and then he can make a lot of bad things!

Add Assessment

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Easy to weaponizeGives privileged accessVulnerable in default configuration
Technical Analysis

CVE-nu11-11

Description:

The AHSS-PHP (by: oretnom23 ) v1.0 is vulnerable in the application /scheduler/classes/Login.php to remote SQL-Injection-Bypass-Authentication + XSS-Stored Hijacking PHPSESSID

  • m0re info: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
    The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
    When the user will sending a malicious query or malicious payload to the MySQL server he can bypass the login credentials and take control of the administer account.
  1. XSS – Stored PHPSESSID Vulnerable
  • The vulnerable XSS app: is “manage_assembly”, parameters: “room_name” “location” and “description”
    After the successful SQL injection, the malicious user can be storing an XSS payload whit who can take the
    active PHPSESSID session.
  1. remote PHPSESSID – Injection
  • After the successful XSS attack the malicious user can take control of the administrative account of the system from everywhere
    by using the PHPSESSID, and then he can make a lot of bad things!

CONCLUSION:

This vendor must STOP creating all these broken projects and vulnerable software programs, probably he is not a developer!

BR

  • [+] @nu11secur1ty System Administrator – Infrastructure and Penetration Testing Engineer

Reproduce:

href

Proof:

href

BR nu11secur1ty

Log in to Add Reply

General Information

Offensive Application
exploit
Utility Class
privesc
Ports
Unknown
OS
Unknown
Vulnerable Versions
Unknown
Prerequisites
Unknown
Discovered By
nu11 secur1ty
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
nu11 secur1ty
Technical Analysis