eLearning V2(by: oretnom23) is vulnerable from remote SQL-Injection-Bypass-Authentication

2021-09-06T00:00:00
ID AKB:17195884-3F5F-4379-953D-48B53037DEEF
Type attackerkb
Reporter AttackerKB
Modified 2021-09-06T00:00:00

Description

Description:

The eLearning V2(by: oretnom23) is vulnerable from remote SQL-Injection-Bypass-Authentication in 3 accounts of the system (admin, Faculty & Student) in app /elearning/classes/Login.php. remote SQL-Injection-Bypass-Authentication: <https://portswigger.net/support/using-sql-injection-to-bypass-authentication>. The parameter (username, faculty_id, and student_id) from the login form is not protected correctly and there is no security and escaping from malicious payloads. When the user will sending a malicious query or malicious payload to the MySQL server for those three accounts, he can bypass the login credentials and take control of these accounts.

Recent assessments:

nu11secur1ty at September 06, 2021 10:08am UTC reported:

CVE-nu11-07

VENDOR

  • – – ## eLearning V2(by: oretnom23) is vulnerable from remote SQL-Injection-Bypass-Authentication

Description:

The eLearning V2(by: oretnom23) is vulnerable from remote SQL-Injection-Bypass-Authentication in 3 accounts of the system (admin, Faculty & Student) in app /elearning/classes/Login.php.
remote SQL-Injection-Bypass-Authentication: <https://portswigger.net/support/using-sql-injection-to-bypass-authentication>.
The parameter (username, faculty_id, and student_id) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server for those three accounts, he can bypass the login credentials and take control of these accounts.

  • – – Vulnerable PHP app code in /elearning/classes/Login.php
    public function login(){
        extract($_POST);
    
        $qry = $this-&gt;conn-&gt;query("SELECT * from users where username = '$username' and password = md5('$password') ");
        if($qry-&gt;num_rows &gt; 0){
            foreach($qry-&gt;fetch_array() as $k =&gt; $v){
                if(!is_numeric($k) && $k != 'password'){
                    $this-&gt;settings-&gt;set_userdata($k,$v);
                }
    
            }
            $this-&gt;settings-&gt;set_userdata('login_type',1);
        $sy = $this-&gt;conn-&gt;query("SELECT * FROM academic_year where status = 1");
        foreach($sy-&gt;fetch_array() as $k =&gt;$v){
            if(!is_numeric($k)){
            $this-&gt;settings-&gt;set_userdata('academic_'.$k,$v);
            }
        }
        return json_encode(array('status'=&gt;'success'));
        }else{
        return json_encode(array('status'=&gt;'incorrect','last_qry'=&gt;"SELECT * from users where username = '$username' and password = md5('$password') "));
        }
    }
    public function flogin(){
        extract($_POST);
    
        $qry = $this-&gt;conn-&gt;query("SELECT * from faculty where  faculty_id = '$faculty_id' and `password` = '".md5($password)."' ");
        if($qry-&gt;num_rows &gt; 0){
            foreach($qry-&gt;fetch_array() as $k =&gt; $v){
                if(!is_numeric($k)){
                    $this-&gt;settings-&gt;set_userdata($k,$v);
                }
    
            }
            $this-&gt;settings-&gt;set_userdata('login_type',2);
            $sy = $this-&gt;conn-&gt;query("SELECT * FROM academic_year where status = 1");
        foreach($sy-&gt;fetch_array() as $k =&gt;$v){
            if(!is_numeric($k)){
            $this-&gt;settings-&gt;set_userdata('academic_'.$k,$v);
            }
        }
            return json_encode(array('status'=&gt;'success'));
        }else{
        return json_encode(array('status'=&gt;'incorrect'));
        }
    }
    public function slogin(){
        extract($_POST);
    
        $qry = $this-&gt;conn-&gt;query("SELECT * from students where  student_id = '$student_id' and `password` = '".md5($password)."' ");
        if($qry-&gt;num_rows &gt; 0){
            foreach($qry-&gt;fetch_array() as $k =&gt; $v){
                if(!is_numeric($k)){
                    $this-&gt;settings-&gt;set_userdata($k,$v);
                }
    
            }
    

CONCLUSION:

  • This vendor must STOP creating all these broken projects and vulnerable software programs, probably he is not a developer!

  • [+] by *@nu11secur1ty* System Administrator – Infrastructure and Penetration Testing Engineer


Reproduce:

https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/CVE-nu11-07

Proof:

href

BR

*@nu11secur1ty*

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5