MSMS-PHP (by: oretnom23 ) v1.0 - HIT STRIKE!

2021-09-02T00:00:00
ID AKB:255AD8E4-CFFD-4E96-8517-115953336F9E
Type attackerkb
Reporter AttackerKB
Modified 2021-09-02T00:00:00

Description

CVE-nu11-05 MSMS-PHP (by: oretnom23 ) v1.0 HIT STRIKE

Description:

The MSMS-PHP (by: oretnom23 ) v1.0 is vulnerable in three sections!

  • – – remote SQL-Injection-Bypass-Authentication

  • m0re info: <https://portswigger.net/support/using-sql-injection-to-bypass-authentication>.
    The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
    When the user will sending a malicious query or malicious payload to the MySQL server he can bypass the login credentials and take control of the administer account.

  • – – XSS – Stored PHPSESSID Vulnerable

  • – The vulnerable XSS app: is “brand”, parameters: “name” and “description”
    After the successful SQL injection, the malicious user can be storing an XSS payload whit who can take the
    active PHPSESSID session.

  • – – remote PHPSESSID – Hijacking

  • After the successful XSS attack the malicious user can take control of the administrative account of the system from everywhere
    by using the PHPSESSID, and then he can make a lot of bad things!

Recent assessments:

nu11secur1ty at September 02, 2021 10:38am UTC reported:

CVE-nu11-05 MSMS-PHP (by: oretnom23 ) v1.0 HIT STRIKE

Description:

The MSMS-PHP (by: oretnom23 ) v1.0 is vulnerable in three sections!

  • – – remote SQL-Injection-Bypass-Authentication

  • m0re info: <https://portswigger.net/support/using-sql-injection-to-bypass-authentication>.
    The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
    When the user will sending a malicious query or malicious payload to the MySQL server he can bypass the login credentials and take control of the administer account.

  • – – XSS – Stored PHPSESSID Vulnerable

  • – The vulnerable XSS app: is “brand”, parameters: “name” and “description”
    After the successful SQL injection, the malicious user can be storing an XSS payload whit who can take the
    active PHPSESSID session.

  • – – remote PHPSESSID – Hijacking

  • After the successful XSS attack the malicious user can take control of the administrative account of the system from everywhere
    by using the PHPSESSID, and then he can make a lot of bad things!


Remote vulnerable links execution:

  • – – [+] . <http://localhost/mobile_store/admin/login.php>

  • – – [+] . <http://localhost/mobile_store/admin/?page=maintenance/brand>


Broken query:

    public function login(){
        extract($_POST);

        $qry = $this-&gt;conn-&gt;query("SELECT * from users where username = '$username' and password = md5('$password') ");
        if($qry-&gt;num_rows &gt; 0){
            foreach($qry-&gt;fetch_array() as $k =&gt; $v){
                if(!is_numeric($k) && $k != 'password'){
                    $this-&gt;settings-&gt;set_userdata($k,$v);
                }

            }

The fix, but not strong enough!

    public function login(){
        extract($_POST);

        $qry = $this-&gt;conn-&gt;query("SELECT * from users where username = ('$username') and password = md5('$password') ");
        if($qry-&gt;num_rows &gt; 0){
            foreach($qry-&gt;fetch_array() as $k =&gt; $v){
                if(!is_numeric($k) && $k != 'password'){
                    $this-&gt;settings-&gt;set_userdata($k,$v);
                }

            }

Stored XSS payload:

&lt;p class="truncate-1 m-0"&gt;alert(document.cookie)&lt;/p&gt;

Proof:

CONCLUSION:

  • – – [+] This vendor must STOP creating all these broken projects and vulnerable software programs, probably he is not a developer!

BR

  • [+] @nu11secur1ty System Administrator – Infrastructure and Penetration Testing Engineer

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5