Authentication Admin Panel Bypass-Which leads to full admin access control [CVE-2020–35276]

In this section, I will explain you, how i was able to bypass the admin login panel and from which it leads to full admin access control.

CVE ID: CVE-2020–35276

Image for post
Image for post

What is SQL injection (SQLi)?

SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application’s content or behavior.

In some situations, an attacker can escalate an SQL injection attack to compromise the underlying server or other back-end infrastructure, or perform a denial-of-service attack.

SQL Injection Type :

  1. Error-based: This type of SQL injection relies on the error messages being thrown by the database server, which might provide us some useful information regarding the database structure.
Image for post
Image for post

while doing my pentest research, I ended upon a project management software called EgavilanMedia.

Product Details:

Product: EGM Address Book CPanel

Vendor: Egavilanmedia

Vendor URL: http://egavilanmedia.com

Component URL: http://demo.egavilanmedia.com/Address%20Book/login.php

Bug: SQLi- Authentication Admin Panel Bypass

Exploitable: Yes

Impact of the vulnerability:

Attacker can Bypass admin Login panel from SQLi and get Full Admin access and attacker can add or remove any user.

Detailed Steps:

Image for post
Image for post
  1. Open admin login page using the following URL: http://demo.egavilanmedia.com/Address%20Book/login.php

2. Now put Payload “admin’ or ‘1’=’1-- “ in the Username field and any random password. Then, click the Login button.

Image for post
Image for post

3. Server accepted our payload and we are successfully able to bypass the panel without any credentials. And also be able to add or remove any users.

Image for post
Image for post

How to protect your code from SQL Injection?

  1. Never construct a query directly with the user’s input. Instead, use Parameterized Statements. They make sure that the inputs passed into SQL queries are treated safely.
Image for post
Image for post

Cheers!

Happy Hunting!!!!!!!!!!!!

Security in IT is like locking your house or car — it doesn’t stop the bad guys, but if it’s good enough they may move on to an easier target.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store