Headline
CVE-2021-40908: CVE-nu11secur1ty/vendors/oretnom23/CVE-nu11-09 at main · nu11secur1ty/CVE-nu11secur1ty
SQL injection vulnerability in Login.php in Sourcecodester Purchase Order Management System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username parameter.
CVE-nu11-09
Vendor****Vulnerability Description:
The POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote SQL-Injection-Bypass-Authentication for the admin account in app /purchase_order/classes/Login.php. remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication. The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads. When the user will sending a malicious query or malicious payload to the MySQL server, he can bypass the login credentials and take control of the admin account.
Vulnerability PHP
code:
public function login(){
extract($\_POST);
$qry = $this\->conn\->query("SELECT \* from users where username = '$username' and password = md5('$password') ");
if($qry\->num\_rows > 0){
foreach($qry\->fetch\_array() as $k => $v){
if(!is\_numeric($k) && $k != 'password'){
$this\->settings\->set\_userdata($k,$v);
}
}
$this\->settings\->set\_userdata('login\_type',1);
return json\_encode(array('status'\=>'success'));
}else{
return json\_encode(array('status'\=>'incorrect','last\_qry'\=>"SELECT \* from users where username = '$username' and password = md5('$password') "));
}
}
Responding from the hacked target:
PoC + checks
=PoC-CVE-nu11-09-rfth.py
C:\Users\venvaropt\Desktop\CVE-nu11-09-09092021>python PoC-CVE-nu11-09.py
DevTools listening on ws://127.0.0.1:63704/devtools/browser/bf18be59-2361-4c08-82dc-689957d5bf9e
The payload for CVE-nu11-09 is deployed and your admin account is PWNED by SQL - Injection
Please see the screenshot poc.png to see if your exploit is working =) BR @nu11secur1ty
This target gives a positive <Response [200]> from inside, after bypassing the login :D
C:\Users\venvaropt\Desktop\CVE-nu11-09-09092021>
Exploit technique:
Python + Selenium + hidden login && screenshot
Proof:
href
BR
- @nu11secur1ty