CVE-2021–40578.
Authenticated Blind & Error based SQL injection Lead To RCE.
👨🏼💻 Discovered by Tushar Jadhav
Profile : https://www.linkedin.com/in/tushar-jadhav-7a43b4171/
📄 Vulnerable version: 1.0
🔗 Vendor Homepage: https://www.sourcecodester.com/
Product: Online Enrollment Management System in PHP and Paypal Payment System
Identifier: Owasp Top 10: Injection
Detailed description: It was found that when we Confirm New Enrollees, controller.php is given a GET request containing IDNO and with all other parameters. Whereas, IDNO is the parameter that is vulnerable to SQLi. As an Attacker can dump all the data from the database.
Steps-To-Reproduce:
- Login into Online Enrollment Management System admin panel.
2. Click on, New Enrollees → Confrim
3. Just a PUT ‘ AND (SELECT 0000 FROM (SELECT(SLEEP(10)))abcd) AND ‘dddd’=’dddd on IDNO parameter will confirm the SQL injection as below shown image. It will take 10 Seconds Delay.
4. After confirming that IDNO is vulnerable to SQL injection feeding the request to SQLMAP will do the rest of the work for us 😉
5. Its Showing Its Vulnerable, Then I tried Another command For Upload PHP Webshell.
6. After Exicuting This command, Im able to upload Shell Name tmpbqrca.php.
7. Now Im Able to Exicute any commands on The System. If The Application Is In Root/Administrator environment, Then Im getting Admin Privileges.
8. And also With that im Able to execute The Commands Over Web environment.
Thanks For Reading !!!