nu11secur1ty (53)

Last Login: September 17, 2021
Assessments
23
Score
53

nu11secur1ty's Contributions (23)

Sort by:
Filter by:
1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-nu11-13-091721

Vulnerability PHPapp code validate.phpand structure also

<?php
	require_once 'conn.php';
	$username = $_POST['username'];
	$password = $_POST['password'];
	$query = $conn->query("SELECT * FROM `admin` WHERE `username` = '$username' && `password` = '$password'") or die(mysqli_error());
	$validate = $query->num_rows;
	$fetch = $query->fetch_array();
	if($validate > 0){
		echo "Success";
		session_start();
		$_SESSION['admin_id'] = $fetch['admin_id'];
	}else{
		echo "Error";
	}

Simple fix.

  • WARNING: THIS IS NOT FIX OF THE PROBLEM, Just an example =)
<?php
	require_once 'conn.php';
	$username = $_POST['username'];
	$password = $_POST['password'];
	$query = $conn->query("SELECT * FROM `admin` WHERE `username` = ('$username') && `password` = '$password'") or die(mysqli_error());
	$validate = $query->num_rows;
	$fetch = $query->fetch_array();
	if($validate > 0){
		echo "Success";
		session_start();
		$_SESSION['admin_id'] = $fetch['admin_id'];
	}else{
		echo "Error";
	}

Description:

The Simple Membership System using PHP and AJAX is vulnerable to remote SQL-Injection-Bypass-Authentication for the admin account/XSS-Stored PWNED.
remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
The parameters (username and password) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server for login to the admin account on the system,
he can bypass the login credentials and take control of this account. And the second time he can adding an payload by using XSS-Stored

BR

  • [+] @nu11secur1ty System Administrator – Infrastructure and Penetration Testing Engineer

Reproduce:

href

Proof:

href

BR nu11secur1ty

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-nu11-12-09162021

Description:

The South Gate Inn Online Reservation System © South Gate Inn is vulnerable to remote SQL-Injection-Bypass-Authentication for the admin account and XSS-Stored PWNED.
remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
The parameters (email and Password) from the login form are not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server for login to the admin account on the system,
he can bypass the login credentials and take control of this account.
And the second time he can access the admin account and adding a payload by using the XSS-Stored technique which can break the MySQL server.

Reproduce:

href

Proof:

href

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-nu11-11

Description:

The AHSS-PHP (by: oretnom23 ) v1.0 is vulnerable in the application /scheduler/classes/Login.php to remote SQL-Injection-Bypass-Authentication + XSS-Stored Hijacking PHPSESSID

  • m0re info: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
    The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
    When the user will sending a malicious query or malicious payload to the MySQL server he can bypass the login credentials and take control of the administer account.
  1. XSS – Stored PHPSESSID Vulnerable
  • The vulnerable XSS app: is “manage_assembly”, parameters: “room_name” “location” and “description”
    After the successful SQL injection, the malicious user can be storing an XSS payload whit who can take the
    active PHPSESSID session.
  1. remote PHPSESSID – Injection
  • After the successful XSS attack the malicious user can take control of the administrative account of the system from everywhere
    by using the PHPSESSID, and then he can make a lot of bad things!

CONCLUSION:

This vendor must STOP creating all these broken projects and vulnerable software programs, probably he is not a developer!

BR

  • [+] @nu11secur1ty System Administrator – Infrastructure and Penetration Testing Engineer

Reproduce:

href

Proof:

href

BR nu11secur1ty

1
Ratings
Technical Analysis

CVE-nu11-10-09102021

Vendor

Description:

The PHP CRUD (by: oretnom23 ) is vulnerable to XSS Stored Attack and remote SQL-Injection special characters.
In the application: ajax_crud the parameters, first_name, last_name, and email are vulnerable to XSS Stored attack!
When the user will sending a malicious javascript payload, he can store a special character – string, onto the MySQL server.
The MySQL server can’t read it because there have no prepared statements or the appropriate replacement/formatting rules
in order to prevent SQL injection and the system will be down.
Status: CRITICAL

Documentation, HOW TO CHARACTER SET Statement:

href

Proof:

href

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-nu11-09

Vulnerability Description:

The POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote SQL-Injection-Bypass-Authentication for the admin account in app /purchase_order/classes/Login.php.
remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server, he can bypass the login credentials and take control of the admin account.

Vulnerability PHP code:

	public function login(){
		extract($_POST);

		$qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') ");
		if($qry->num_rows > 0){
			foreach($qry->fetch_array() as $k => $v){
				if(!is_numeric($k) && $k != 'password'){
					$this->settings->set_userdata($k,$v);
				}

			}
			$this->settings->set_userdata('login_type',1);
		return json_encode(array('status'=>'success'));
		}else{
		return json_encode(array('status'=>'incorrect','last_qry'=>"SELECT * from users where username = '$username' and password = md5('$password') "));
		}
	}

Responding from the hacked target:

  • – – PoC + checks = PoC-CVE-nu11-09-rfth.py
C:\Users\venvaropt\Desktop\CVE-nu11-09-09092021>python PoC-CVE-nu11-09.py

DevTools listening on ws://127.0.0.1:63704/devtools/browser/bf18be59-2361-4c08-82dc-689957d5bf9e

The payload for CVE-nu11-09 is deployed and your admin account is PWNED by SQL - Injection

Please see the screenshot poc.png to see if your exploit is working =) BR **[**[@nu11secur1ty](/contributors/nu11secur1ty)**](/contributors/nu11secur1ty)**

This target gives a positive <Response [200]> from inside, after bypassing the login :D

C:\Users\venvaropt\Desktop\CVE-nu11-09-09092021>

Exploit technique:

Python + Selenium + hidden login && screenshot

Proof:

href

BR

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-nu11-08-09072021

VENDOR

Vulnerability Description:

The SURMS – PHP (by: oretnom23 ) v1.0 is vulnerable from remote SQL-Injection-Bypass-Authentication for the admin account in app: /storage/classes/Login.php and XSS PWNED PHPSESSID Hijacking in app “tenants”.
Remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server for those three accounts, he can bypass the login credentials and take control of these accounts.
And the second time he can access the admin account by using the PHPSESSID Hijacking technique.

Vulnerable PHP code:

	public function login(){
		extract($_POST);

		$qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') ");
		if($qry->num_rows > 0){
			foreach($qry->fetch_array() as $k => $v){
				if(!is_numeric($k) && $k != 'password'){
					$this->settings->set_userdata($k,$v);
				}

			}
			$this->settings->set_userdata('login_type',1);
		return json_encode(array('status'=>'success'));
		}else{
		return json_encode(array('status'=>'incorrect','last_qry'=>"SELECT * from users where username = '$username' and password = md5('$password') "));
		}
	}

Proof:

href

1
Ratings
Technical Analysis

CVE-nu11-07

VENDOR

  • – – ## eLearning V2(by: oretnom23) is vulnerable from remote SQL-Injection-Bypass-Authentication

Description:

The eLearning V2(by: oretnom23) is vulnerable from remote SQL-Injection-Bypass-Authentication in 3 accounts of the system (admin, Faculty & Student) in app /elearning/classes/Login.php.
remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
The parameter (username, faculty_id, and student_id) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server for those three accounts, he can bypass the login credentials and take control of these accounts.

  • – – Vulnerable PHP app code in /elearning/classes/Login.php
	public function login(){
		extract($_POST);

		$qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') ");
		if($qry->num_rows > 0){
			foreach($qry->fetch_array() as $k => $v){
				if(!is_numeric($k) && $k != 'password'){
					$this->settings->set_userdata($k,$v);
				}

			}
			$this->settings->set_userdata('login_type',1);
		$sy = $this->conn->query("SELECT * FROM academic_year where status = 1");
		foreach($sy->fetch_array() as $k =>$v){
			if(!is_numeric($k)){
			$this->settings->set_userdata('academic_'.$k,$v);
			}
		}
		return json_encode(array('status'=>'success'));
		}else{
		return json_encode(array('status'=>'incorrect','last_qry'=>"SELECT * from users where username = '$username' and password = md5('$password') "));
		}
	}
	public function flogin(){
		extract($_POST);

		$qry = $this->conn->query("SELECT * from faculty where  faculty_id = '$faculty_id' and `password` = '".md5($password)."' ");
		if($qry->num_rows > 0){
			foreach($qry->fetch_array() as $k => $v){
				if(!is_numeric($k)){
					$this->settings->set_userdata($k,$v);
				}

			}
			$this->settings->set_userdata('login_type',2);
			$sy = $this->conn->query("SELECT * FROM academic_year where status = 1");
		foreach($sy->fetch_array() as $k =>$v){
			if(!is_numeric($k)){
			$this->settings->set_userdata('academic_'.$k,$v);
			}
		}
			return json_encode(array('status'=>'success'));
		}else{
		return json_encode(array('status'=>'incorrect'));
		}
	}
	public function slogin(){
		extract($_POST);

		$qry = $this->conn->query("SELECT * from students where  student_id = '$student_id' and `password` = '".md5($password)."' ");
		if($qry->num_rows > 0){
			foreach($qry->fetch_array() as $k => $v){
				if(!is_numeric($k)){
					$this->settings->set_userdata($k,$v);
				}

			}

CONCLUSION:

  • This vendor must STOP creating all these broken projects and vulnerable software programs, probably he is not a developer!

  • [+] by @nu11secur1ty System Administrator – Infrastructure and Penetration Testing Engineer


Reproduce:

https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/CVE-nu11-07

Proof:

href

BR

@nu11secur1ty

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-nu11-05 MSMS-PHP (by: oretnom23 ) v1.0 HIT STRIKE

Description:

The MSMS-PHP (by: oretnom23 ) v1.0 is vulnerable in three sections!

  • – – remote SQL-Injection-Bypass-Authentication
  • m0re info: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
    The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
    When the user will sending a malicious query or malicious payload to the MySQL server he can bypass the login credentials and take control of the administer account.
  • – – XSS – Stored PHPSESSID Vulnerable
  • – The vulnerable XSS app: is “brand”, parameters: “name” and “description”
    After the successful SQL injection, the malicious user can be storing an XSS payload whit who can take the
    active PHPSESSID session.
  • – – remote PHPSESSID – Hijacking
  • After the successful XSS attack the malicious user can take control of the administrative account of the system from everywhere
    by using the PHPSESSID, and then he can make a lot of bad things!

Remote vulnerable links execution:


Broken query:

	public function login(){
		extract($_POST);

		$qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') ");
		if($qry->num_rows > 0){
			foreach($qry->fetch_array() as $k => $v){
				if(!is_numeric($k) && $k != 'password'){
					$this->settings->set_userdata($k,$v);
				}

			}

The fix, but not strong enough!

	public function login(){
		extract($_POST);

		$qry = $this->conn->query("SELECT * from users where username = ('$username') and password = md5('$password') ");
		if($qry->num_rows > 0){
			foreach($qry->fetch_array() as $k => $v){
				if(!is_numeric($k) && $k != 'password'){
					$this->settings->set_userdata($k,$v);
				}

			}

Stored XSS payload:

<p class="truncate-1 m-0">alert(document.cookie)</p>

Proof:

CONCLUSION:

  • – – [+] This vendor must STOP creating all these broken projects and vulnerable software programs, probably he is not a developer!

BR

  • [+] @nu11secur1ty System Administrator – Infrastructure and Penetration Testing Engineer
2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Ship Ferry Ticket Reservation System v1.0

Vendor

Description:

The Ship/Ferry Ticket Reservation System v1.0 is vulnerable in the application /ship_ticketing/classes/Login.php from SQL-Injection-Bypass-Authentication.
The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server he can bypass the login credentials and take control of the administer account.

Broken structure:

	public function login(){
		extract($_POST);

		$qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') ");
		if($qry->num_rows > 0){
			foreach($qry->fetch_array() as $k => $v){
				if(!is_numeric($k) && $k != 'password'){
					$this->settings->set_userdata($k,$v);
				}

			}

Simple fix, but not enough strong!!!:

	public function login(){
		extract($_POST);

		$qry = $this->conn->query("SELECT * from users where username = ('$username') and password = md5('$password') ");
		if($qry->num_rows > 0){
			foreach($qry->fetch_array() as $k => $v){
				if(!is_numeric($k) && $k != 'password'){
					$this->settings->set_userdata($k,$v);
				}

			}

Proof:

href

BR

[+] @nu11secur1ty

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-nu11-03

Online Leave Management System SQL-Injection-Bypass-Authentication:

Vendor:

Description:

The OLMS – PHP (by: oretnom23 ) v1.0 is vulnerable in the application /leave_system/classes/Login.php from SQL-Injection-Bypass-Authentication
m0re info: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server he can bypass the login credentials and take control of the administer account.

Broken query:

	public function login(){
		extract($_POST);

		$qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') ");
		if($qry->num_rows > 0){
			foreach($qry->fetch_array() as $k => $v){
				if(!is_numeric($k) && $k != 'password'){
					$this->settings->set_userdata($k,$v);
				}

			}

The fix, but not strong enough!

public function login(){
		extract($_POST);

		$qry = $this->conn->query("SELECT * from users where username = ('$username') and password = md5('$password') ");
		if($qry->num_rows > 0){
			foreach($qry->fetch_array() as $k => $v){
				if(!is_numeric($k) && $k != 'password'){
					$this->settings->set_userdata($k,$v);
				}

			}

Proof:

Conclusion and solution of the problem:

BR

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-nu11-04

Covid-19 Contact Tracing System Web App with QR Code Scanning CTS-QR (by: oretnom23 ) v1.0

Vendor:

Broken query:

	public function login(){
		extract($_POST);

		$qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') ");
		if($qry->num_rows > 0){
			foreach($qry->fetch_array() as $k => $v){
				if(!is_numeric($k) && $k != 'password'){
					$this->settings->set_userdata($k,$v);
				}

			}

The fix, but not strong enough!

	public function login(){
		extract($_POST);

		$qry = $this->conn->query("SELECT * from users where username = ('$username') and password = md5('$password') ");
		if($qry->num_rows > 0){
			foreach($qry->fetch_array() as $k => $v){
				if(!is_numeric($k) && $k != 'password'){
					$this->settings->set_userdata($k,$v);
				}

			}

Proof:

Description:

The Covid-19 Contact Tracing System Web App with QR Code Scanning CTS-QR (by: oretnom23 ) v1.0 is vulnerable in the application /cts_qr/classes/Login.php from SQL-Injection-Bypass-Authentication
m0re info: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server he can bypass the login credentials and take control of the administer account.

Please, report here:

  • [+]href

    NOTE:

    • – [+] The owner is not satisfied with the fact that all his projects are using the same broken MySQL query architecture. =)

M0re:

Conclusion and solution of the problem:

BR

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Medium
Technical Analysis

Description:

Cross-Site Scripting (XSS SVG – Stored – PWNED PHPSESSID RCE) vulnerability exists in FlatCore-CMS 2.0.7 via the upload image function.
When the malicious user trick the administrator of the CMS system to upload the malicious SVG file, then
he can be already executed this code from everywhere on the internet, and the thing will be more worst than ever for the owner of this CMS system! ;)

@nu11secur1ty


Reproduce:

https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-39609

Proof:

https://streamable.com/p13hgj

Proof: PHPSESSID PWNED

https://streamable.com/9aj8o6

2
Ratings
Technical Analysis

The SES-by_oretnom23 -v1.0 is vulnerable in the application /elearning/classes/Login.php which is called from /elearning/dist/js/script.js app. The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads. When the user is sending a request to the MySQL server he can bypass the login credentials and take control of the administer account.

Reproduce:

https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/SES-by_oretnom23%20-v1.0

Proof:

https://streamable.com/kswjbi

1
Ratings
Technical Analysis

Description:

The B&E Tracker (by: oretnom23 ) v1.0 is vulnerable
in the application /expense_budget/classes/Login.php which is called from /expense_budget/dist/js/script.js app.
The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user is sending a request to the MySQL server he can bypass the login credentials and take control of the administer account.

Reproduce:

https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/B%26E%20Tracker-by:oretnom23-v1.0

Proof:

https://streamable.com/y3ig5h

BR nu11secur1ty

1
Ratings
Technical Analysis

Description:

The Online-Catering-Reservation-DT Food-Catering(by: oretnom23)v1.0 is vulnerable
in the application /catering/classes/Login.php which is called from /catering/dist/js/script.js app.
The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user is sending a request to the MySQL server he can bypass the login credentials and take control of the administer account.

More:

https://www.nu11secur1ty.com/2021/08/online-catering-reservation-dt-sql.html

More:

https://github.com/nu11secur1ty/CVE-mitre/tree/main/Online-Catering-Reservation-DT-Food-Catering

Simple proof and simple fix but not strong! =)

https://streamable.com/7qfnkl

BR

1
Ratings
Technical Analysis

XSS-Stored PHPSESSID user PWNED on Hospital Management System Vulnerable parameter “txtMsg” on contact

Reproduce:

https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-38757

Proof:

https://streamable.com/6xue3b

1
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very High
Technical Analysis

TastyIgniter 3.0.7 allows XSS – Stored

Vulnerability Assessment

XSS-Stored Allow 48 characters

Url

http://192.168.1.3/setup-master/admin/customers/create

Payload

https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-38699

Vulnerable parameter

Customer[first_name]

Proof:

https://streamable.com/75b6ob

1
Ratings
Technical Analysis

Link: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-38603

Vulnerability parameter in profil.php “id_content”
NOTE: The same problem is in the demo account in the online version
https://www.softaculous.com/softaculous/demos/PluXml

Proof: https://streamable.com/5rf36u

1
Ratings
Technical Analysis

CVE-mitre:index.php/appointment/insert_patient_add_appointment in Chikitsa Patient Management System 2.0.0 allows XSS.
nu11secur1ty: XSS-Stored – Brutal PWNED on Chikitsa 2.0.0 parameter “name” + User: Unrestricted File Upload “.php”

Reproduce:

https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-38152

Proof:

https://streamable.com/wbo5c1

2
Ratings
Technical Analysis

OneNav beta 0.9.12 allows XSS via the Add Link feature. PWNED by using remote execution script, automated for this vulnerability. NOTE: the vendor’s position is that there intentionally is not any XSS protection at present, because the attack risk is largely limited to a compromised account; however, XSS protection is planned for a future release.

More:

https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-38138

Proof:

https://streamable.com/ubtzio

2
Ratings
Technical Analysis

PandoraFMS <=7.54 allows Stored XSS by placing a payload in the name field of a visual console. When a user or an administrator visits the console, the XSS payload will be executed.

Reproduce:

2
Ratings
Technical Analysis

CVE-2021-33041

If someone malicious guy sends MD file with malicious content, and for example, the user is a real user ;) and don’t know what actually is going on, and open the file with VMD, boom, the game is over for him.

#Proof:
https://streamable.com/j7e13y – low
https://streamable.com/oykc86 – medium
https://streamable.com/yywb0h – high
https://streamable.com/ngx2xm – very high

M0r3:

https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-33041

BR

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

According to Microsoft’s documentation, here are the affected platforms:

Windows Server, version 2004 (or 20H1) (Server Core installation),
Windows 10 Version 2004 (or 20H1) for ARM64/x64/32-bit Systems,
Windows Server, version 20H2 (Server Core Installation),
Windows 10 Version 20H2 for ARM64/x64/32-bit Systems.

CVE-2021-31166