Covid-19 Contact Tracing System Web App with QR Code Scanning - SQL-Injection-Bypass-Authentication

2021-08-31T00:00:00
ID AKB:934C6033-0C6F-4E2C-A428-9379AFF6AD2F
Type attackerkb
Reporter AttackerKB
Modified 2021-08-31T00:00:00

Description

The Covid-19 Contact Tracing System Web App with QR Code Scanning is vulnerable in the application /cts_qr/classes/Login.php from SQL-Injection-Bypass-Authentication m0re info: <https://portswigger.net/support/using-sql-injection-to-bypass-authentication>. The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads. When the user will sending a malicious query or malicious payload to the MySQL server he can bypass the login credentials and take control of the administer account.

Recent assessments:

nu11secur1ty at August 31, 2021 2:17pm UTC reported:

CVE-nu11-04

Covid-19 Contact Tracing System Web App with QR Code Scanning CTS-QR (by: oretnom23 ) v1.0

Vendor:

Broken query:

    public function login(){
        extract($_POST);

        $qry = $this-&gt;conn-&gt;query("SELECT * from users where username = '$username' and password = md5('$password') ");
        if($qry-&gt;num_rows &gt; 0){
            foreach($qry-&gt;fetch_array() as $k =&gt; $v){
                if(!is_numeric($k) && $k != 'password'){
                    $this-&gt;settings-&gt;set_userdata($k,$v);
                }

            }

The fix, but not strong enough!

    public function login(){
        extract($_POST);

        $qry = $this-&gt;conn-&gt;query("SELECT * from users where username = ('$username') and password = md5('$password') ");
        if($qry-&gt;num_rows &gt; 0){
            foreach($qry-&gt;fetch_array() as $k =&gt; $v){
                if(!is_numeric($k) && $k != 'password'){
                    $this-&gt;settings-&gt;set_userdata($k,$v);
                }

            }

Proof:

Description:

The Covid-19 Contact Tracing System Web App with QR Code Scanning CTS-QR (by: oretnom23 ) v1.0 is vulnerable in the application /cts_qr/classes/Login.php from SQL-Injection-Bypass-Authentication
m0re info: <https://portswigger.net/support/using-sql-injection-to-bypass-authentication>.
The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server he can bypass the login credentials and take control of the administer account.

Please, report here:

NOTE:

    • – [+] The owner is not satisfied with the fact that all his projects are using the same broken MySQL query architecture. =)

M0re:

Conclusion and solution of the problem:

BR

  • [+] @nu11secur1ty

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5