Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

© 2021 Rupee Invoice System - Mayuri K | Designed by : Mayurik K is vulnerable to remote SQL-Injection-Bypass-Authentication

Last updated September 21, 2021
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The © 2021 Rupee Invoice System – Mayuri K | Designed by : Mayurik K is vulnerable to remote SQL-Injection-Bypass-Authentication.
remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server for those three accounts, he can bypass the login credentials and take control of admin account.

Add Assessment

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-nu11-16-092121

The vendor is so beautiful, but this is not enough ;)


Description:

The © 2021 Rupee Invoice System – Mayuri K | Designed by: Mayurik K is vulnerable to remote SQL-Injection-Bypass-Authentication.
remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server for those three accounts, he can bypass the login credentials and take control of the admin account.

Broken structure on login.php app:

$errors = array();

if($_POST) {    

  $username = $_POST['username'];
  $password = $_POST['password'];

  if(empty($username) || empty($password)) {
    if($username == "") {
      $errors[] = "Username is required";
    } 

    if($password == "") {
      $errors[] = "Password is required";
    }
  } else {
    $sql = "SELECT * FROM users WHERE username = ('$username')";
    $result = $connect->query($sql);

    if($result->num_rows == 1) {
      $password = md5($password);
      // exists
      $mainSql = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
      $mainResult = $connect->query($mainSql);

      if($mainResult->num_rows == 1) {
        $value = $mainResult->fetch_assoc();
        $user_id = $value['user_id'];

        // set session
        $_SESSION['userId'] = $user_id;?>

Simple fixed, but not enough ;)

href

Decision:

href

BR

General Information

Technical Analysis