Headline
CVE-2021-40596: CVE-nu11secur1ty/vendors/oretnom23/CVE-nu11-07 at main · nu11secur1ty/CVE-nu11secur1ty
SQL injection vulnerability in Login.php in sourcecodester Online Learning System v2 by oretnom23, allows attackers to execute arbitrary SQL commands via the faculty_id parameter.
The eLearning V2(by: oretnom23) is vulnerable from remote SQL-Injection-Bypass-Authentication in 3 accounts of the system (admin, Faculty & Student) in app /elearning/classes/Login.php. remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication. The parameter (username, faculty_id, and student_id) from the login form is not protected correctly and there is no security and escaping from malicious payloads. When the user will sending a malicious query or malicious payload to the MySQL server for those three accounts, he can bypass the login credentials and take control of these accounts.
public function login(){
extract($\_POST);
$qry = $this\->conn\->query("SELECT \* from users where username = '$username' and password = md5('$password') ");
if($qry\->num\_rows > 0){
foreach($qry\->fetch\_array() as $k => $v){
if(!is\_numeric($k) && $k != 'password'){
$this\->settings\->set\_userdata($k,$v);
}
}
$this\->settings\->set\_userdata('login\_type',1);
$sy = $this\->conn\->query("SELECT \* FROM academic\_year where status = 1");
foreach($sy\->fetch\_array() as $k =>$v){
if(!is\_numeric($k)){
$this\->settings\->set\_userdata('academic\_'.$k,$v);
}
}
return json\_encode(array('status'\=>'success'));
}else{
return json\_encode(array('status'\=>'incorrect','last\_qry'\=>"SELECT \* from users where username = '$username' and password = md5('$password') "));
}
}
public function flogin(){
extract($\_POST);
$qry = $this\->conn\->query("SELECT \* from faculty where faculty\_id = '$faculty\_id' and \`password\` = '".md5($password)."' ");
if($qry\->num\_rows > 0){
foreach($qry\->fetch\_array() as $k => $v){
if(!is\_numeric($k)){
$this\->settings\->set\_userdata($k,$v);
}
}
$this\->settings\->set\_userdata('login\_type',2);
$sy = $this\->conn\->query("SELECT \* FROM academic\_year where status = 1");
foreach($sy\->fetch\_array() as $k =>$v){
if(!is\_numeric($k)){
$this\->settings\->set\_userdata('academic\_'.$k,$v);
}
}
return json\_encode(array('status'\=>'success'));
}else{
return json\_encode(array('status'\=>'incorrect'));
}
}
public function slogin(){
extract($\_POST);
$qry = $this\->conn\->query("SELECT \* from students where student\_id = '$student\_id' and \`password\` = '".md5($password)."' ");
if($qry\->num\_rows > 0){
foreach($qry\->fetch\_array() as $k => $v){
if(!is\_numeric($k)){
$this\->settings\->set\_userdata($k,$v);
}
}