Journey to the first 2 CVEs

Rahul
4 min readJan 28, 2022

--

Hello Hackers,

In this blog, I’ll share the vulnerabilities that I have found in open source CMS and registered the first two CVEs for the same.

Before diving into the blog let me tell you about myself.

I am Rahul Kalnarayan, A Penetration Tester working as a Security Consultant in SecurView, Inc. Holding an OSCP Certification and a Part-Time Bug Bounty Hunter.

Before purchasing an OSCP lab I was scrolling to my LinkedIn feed and observed many security professionals are posting about their first CVEs.

Then I started for the same, I came up with multiple CMS but mostly are having public exploits available in exploit-dB or GitHub so I skip them because. I specifically wanted to find my first CVE for SQL Injection. And here I found recently released CMS “Simple Client Management System V1.0” that was developed by Oretnom23.

Without wasting a single minute I downloaded the source code and configure it to the Debian environment with the latest services like Php, Mysql, and Apache2,

  1. CVE-2021–43509

With the CMS application, without approaching the BlackBox I move forward with the Whitebox approach cause we already have a source code, we can construct a payload based on the requirements.

After moving forward with each page, I found a way for the first vulnerability into the WebApplication. There is a page called view_service.php

view_service.php

After checking the code of the view_service.php page observed the third line is calling us again and again, Lemme explains to you what does the third line means.

Here developer created a variable name qry it holds the SQL statement where the query selects all data from the “service_list” table having the value of id = user_input.

SELECT * FROM `services_list` where  id = '{$_GET['id']}'

Here the vulnerable point is $_GET[‘id’]

Because the user input is directly passing to the sql statement it means it is vulnerable to SQL injection, detecting of sql injection is very easy, Hard is how work can make the working exploit for the same to dump data from the database.

I tried breaking the statement and completing it, and the application started throwing us dozens of errors. now constructed the exploit based on the requirement.

Dozens of Error based SQLi

Constructed a simple payload to complete the SQL statement and grab the database name.

http://192.168.1.76/cms/admin/maintenance/view_service.php?id=9999%27%20union%20all%20select%20null,null,concat(database()),null,null,null,null--+
checking database name

Then I reported the same.

2. CVE-2021–43510

After my first vulnerability, I tried with another one SQLi authentication bypass, Mainly we all are looking forward to the admin panel I moved on the same before trying with the payload I checked the source code, for better understanding.

Hitting the admin panel to the browser redirected to another page, and while looking into the source code found it is similar to the previous one.

classes/Login.php

The same thing happening here, Getting input from the form and directly passing it to the SQL statement, I guess no need to elaborate here about the statement and function.

Here, we know how we detected the vulnerability and how to bypass it.

admin'+or+'1'%3D'1'--+-

I bypass with using a simple SQLi authentication bypass payload.

POC

So, I reported both the vulnerability and raised a request for CVEs, After waiting for two months today I got my OSCP hard copy certification and a mail from cve-mitre about both CVEs getting registered, Waiting for soon to publish it.

Thanks for reading!!!

Happy Hacking…

I_DID_IT

--

--

Responses (1)