CVE-2021–40578.

Authenticated Blind & Error based SQL injection Lead To RCE.

👨🏼‍💻 Discovered by Tushar Jadhav

Profile : https://www.linkedin.com/in/tushar-jadhav-7a43b4171/

📄 Vulnerable version: 1.0

🔗 Vendor Homepage: https://www.sourcecodester.com/

Product: Online Enrollment Management System in PHP and Paypal Payment System

Identifier: Owasp Top 10: Injection

Detailed description: It was found that when we Confirm New Enrollees, controller.php is given a GET request containing IDNO and with all other parameters. Whereas, IDNO is the parameter that is vulnerable to SQLi. As an Attacker can dump all the data from the database.

Steps-To-Reproduce:

1. Login into Online Enrollment Management System admin panel.

Admin login page

2. Click on, New Enrollees → Confrim

Normal respond

3. Just a PUT ‘ AND (SELECT 0000 FROM (SELECT(SLEEP(10)))abcd) AND ‘dddd’=’dddd on IDNO parameter will confirm the SQL injection as below shown image. It will take 10 Seconds Delay.

Application misbehaviour

4. After confirming that IDNO is vulnerable to SQL injection feeding the request to SQLMAP will do the rest of the work for us 😉

The result of SQLMAP against the IDNO parameter

5. Its Showing Its Vulnerable, Then I tried Another command For Upload PHP Webshell.

Command For Upload Shell

6. After Exicuting This command, Im able to upload Shell Name tmpbqrca.php.

Shell Uploaded

7. Now Im Able to Exicute any commands on The System. If The Application Is In Root/Administrator environment, Then Im getting Admin Privileges.

List Directories

8. And also With that im Able to execute The Commands Over Web environment.

Commands On web

Thanks For Reading !!!