Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

Simple Membership System using PHP and AJAX is vulnerable to remote SQL-Injection-Bypass-Authentication/XSS-Stored PWNED

Last updated September 17, 2021
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Validated
Validated

Description

Description:

The Simple Membership System using PHP and AJAX is vulnerable to remote SQL-Injection-Bypass-Authentication for the admin account/XSS-Stored PWNED.
remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
The parameters (username and password) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server for login to the admin account on the system,
he can bypass the login credentials and take control of this account. And the second time he can be adding a payload by using XSS-Stored

Add Assessment

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-nu11-13-091721

Vulnerability PHPapp code validate.phpand structure also

<?php
	require_once 'conn.php';
	$username = $_POST['username'];
	$password = $_POST['password'];
	$query = $conn->query("SELECT * FROM `admin` WHERE `username` = '$username' && `password` = '$password'") or die(mysqli_error());
	$validate = $query->num_rows;
	$fetch = $query->fetch_array();
	if($validate > 0){
		echo "Success";
		session_start();
		$_SESSION['admin_id'] = $fetch['admin_id'];
	}else{
		echo "Error";
	}

Simple fix.

  • WARNING: THIS IS NOT FIX OF THE PROBLEM, Just an example =)
<?php
	require_once 'conn.php';
	$username = $_POST['username'];
	$password = $_POST['password'];
	$query = $conn->query("SELECT * FROM `admin` WHERE `username` = ('$username') && `password` = '$password'") or die(mysqli_error());
	$validate = $query->num_rows;
	$fetch = $query->fetch_array();
	if($validate > 0){
		echo "Success";
		session_start();
		$_SESSION['admin_id'] = $fetch['admin_id'];
	}else{
		echo "Error";
	}

Description:

The Simple Membership System using PHP and AJAX is vulnerable to remote SQL-Injection-Bypass-Authentication for the admin account/XSS-Stored PWNED.
remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
The parameters (username and password) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server for login to the admin account on the system,
he can bypass the login credentials and take control of this account. And the second time he can adding an payload by using XSS-Stored

BR

  • [+] @nu11secur1ty System Administrator – Infrastructure and Penetration Testing Engineer

Reproduce:

href

Proof:

href

BR nu11secur1ty

Technical Analysis