Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

MSMS-PHP (by: oretnom23 ) v1.0 - HIT STRIKE!

Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Validated
Validated

Description

CVE-nu11-05 MSMS-PHP (by: oretnom23 ) v1.0 HIT STRIKE

Description:

The MSMS-PHP (by: oretnom23 ) v1.0 is vulnerable in three sections!

  • – – remote SQL-Injection-Bypass-Authentication
  • m0re info: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
    The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
    When the user will sending a malicious query or malicious payload to the MySQL server he can bypass the login credentials and take control of the administer account.
  • – – XSS – Stored PHPSESSID Vulnerable
  • – The vulnerable XSS app: is “brand”, parameters: “name” and “description”
    After the successful SQL injection, the malicious user can be storing an XSS payload whit who can take the
    active PHPSESSID session.
  • – – remote PHPSESSID – Hijacking
  • After the successful XSS attack the malicious user can take control of the administrative account of the system from everywhere
    by using the PHPSESSID, and then he can make a lot of bad things!

Add Assessment

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-nu11-05 MSMS-PHP (by: oretnom23 ) v1.0 HIT STRIKE

Description:

The MSMS-PHP (by: oretnom23 ) v1.0 is vulnerable in three sections!

  • – – remote SQL-Injection-Bypass-Authentication
  • m0re info: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
    The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
    When the user will sending a malicious query or malicious payload to the MySQL server he can bypass the login credentials and take control of the administer account.
  • – – XSS – Stored PHPSESSID Vulnerable
  • – The vulnerable XSS app: is “brand”, parameters: “name” and “description”
    After the successful SQL injection, the malicious user can be storing an XSS payload whit who can take the
    active PHPSESSID session.
  • – – remote PHPSESSID – Hijacking
  • After the successful XSS attack the malicious user can take control of the administrative account of the system from everywhere
    by using the PHPSESSID, and then he can make a lot of bad things!

Remote vulnerable links execution:


Broken query:

	public function login(){
		extract($_POST);

		$qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') ");
		if($qry->num_rows > 0){
			foreach($qry->fetch_array() as $k => $v){
				if(!is_numeric($k) && $k != 'password'){
					$this->settings->set_userdata($k,$v);
				}

			}

The fix, but not strong enough!

	public function login(){
		extract($_POST);

		$qry = $this->conn->query("SELECT * from users where username = ('$username') and password = md5('$password') ");
		if($qry->num_rows > 0){
			foreach($qry->fetch_array() as $k => $v){
				if(!is_numeric($k) && $k != 'password'){
					$this->settings->set_userdata($k,$v);
				}

			}

Stored XSS payload:

<p class="truncate-1 m-0">alert(document.cookie)</p>

Proof:

CONCLUSION:

  • – – [+] This vendor must STOP creating all these broken projects and vulnerable software programs, probably he is not a developer!

BR

  • [+] @nu11secur1ty System Administrator – Infrastructure and Penetration Testing Engineer

General Information

References

Additional Info

Technical Analysis