Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
attackerkbAttackerKBAKB:934C6033-0C6F-4E2C-A428-9379AFF6AD2F
HistoryAug 31, 2021 - 12:00 a.m.

Covid-19 Contact Tracing System Web App with QR Code Scanning - SQL-Injection-Bypass-Authentication

2021-08-3100:00:00
attackerkb.com
203
JSON

The Covid-19 Contact Tracing System Web App with QR Code Scanning is vulnerable in the application /cts_qr/classes/Login.php from SQL-Injection-Bypass-Authentication m0re info: <https://portswigger.net/support/using-sql-injection-to-bypass-authentication&gt;. The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads. When the user will sending a malicious query or malicious payload to the MySQL server he can bypass the login credentials and take control of the administer account.

Recent assessments:

nu11secur1ty at August 31, 2021 2:17pm UTC reported:

CVE-nu11-04

Covid-19 Contact Tracing System Web App with QR Code Scanning CTS-QR (by: oretnom23 ) v1.0

Vendor:

Broken query:

	public function login(){
		extract($_POST);

		$qry = $this-&gt;conn-&gt;query("SELECT * from users where username = '$username' and password = md5('$password') ");
		if($qry-&gt;num_rows &gt; 0){
			foreach($qry-&gt;fetch_array() as $k =&gt; $v){
				if(!is_numeric($k) && $k != 'password'){
					$this-&gt;settings-&gt;set_userdata($k,$v);
				}

			}

The fix, but not strong enough!

	public function login(){
		extract($_POST);

		$qry = $this-&gt;conn-&gt;query("SELECT * from users where username = ('$username') and password = md5('$password') ");
		if($qry-&gt;num_rows &gt; 0){
			foreach($qry-&gt;fetch_array() as $k =&gt; $v){
				if(!is_numeric($k) && $k != 'password'){
					$this-&gt;settings-&gt;set_userdata($k,$v);
				}

			}

Proof:

Description:

The Covid-19 Contact Tracing System Web App with QR Code Scanning CTS-QR (by: oretnom23 ) v1.0 is vulnerable in the application /cts_qr/classes/Login.php from SQL-Injection-Bypass-Authentication
m0re info: <https://portswigger.net/support/using-sql-injection-to-bypass-authentication&gt;.
The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server he can bypass the login credentials and take control of the administer account.

Please, report here:

NOTE:

  • * – [+] `The owner is not satisfied with the fact that all his projects are using the same broken MySQL query architecture.` =)

M0re:

Conclusion and solution of the problem:

BR

  • [+] @nu11secur1ty

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5

JSON