Patient Record Management System 1.0 Authentication Bypass

CVE Category Price Severity
N/A CWE-287 $1000 High
Author Risk Exploitation Type Date
Unknown High Remote 2023-01-20
Our sensors found this exploit at:

Below is a copy:

Patient Record Management System 1.0 Authentication Bypass
# Exploit Title: Patient Record Management System v1.0 - Authentication Bypass via PHP Loose Comparison
# Exploit Author: Joe Pollock
# Date: January 19, 2023
# Vendor Homepage:
# Software Link:
# Tested on: Kali Linux, Apache, Mysql, PHP 8.1.5
# CVE: T.B.C
# Vendor: kimcey500
# Version: 1.0
# Exploit Description:
#   Patient Record Management System v1.0 implements a PHP loose comparison within the password recovery functionality (secret question/answer) of 
#   the admin account, which renders the application vulnerable to an authentication bypass depending on the secret answer chosen by the administrator. 
#   If the secret answer generates a SHA1 magic hash (SHA1 is the hashing format used by the application to store secret answers) then an authentication 
#   bypass of the admin account is possible using any other SHA1 magic hash. The vulnerable function is found within User_model.php and is shown below:

public function get_forgot_secret($login_id, $secans){
   $this->db->where('u_id', $login_id);
   $query = $this->db->get('users');
   $decrypt = $query->row()->u_secretanswer;
   if(sha1($secans) == $decrypt){ // md5 encryption 
      return $query->row();

(+) To reproduce this exploit:
1. Log in as the administrator and navigate to the password recovery functionality (http://localhost/Indexcontrol/secretquestion).
2. Enter the Current Password then select any Secret Question. 
3. For the Secret Answer, use the following: 10932435112
4. Confirm the Secret Answer then click Submit. Now logout of the administrator account.
5. From the admin login page, click Forgot Password?.
6. Enter admin as the username then click Submit.
7. For the Secret Answer, use any of the following:


8. After clicking 'Submit, the 'create new password' functionality should be displayed and therefore authentication can be bypassed.

(+) Explanation:
Following from above, assume the administrator has chosen the following as their secret answer: 


The application then stores the SHA1 hash of the secret answer in the database. The stored hash is: 


The above hash is an example of a 'magic hash', i.e. the hash starts with "0e" (or "0..0e") only followed by numbers.

In PHP, if two strings are loosely compared (==) and match the regular expression 0+e[0-9]+, the result will be TRUE.

It will then be possible to bypass the authentication of this account using any secret answer which generates a SHA1 magic hash. 

Any of the following secret answers could be used to bypass authentication:


See here for more examples that could be used:

The comparision which would take place by the application in get_forgot_secret() is:

if(sha1(aaroZmOk) == "0e07766915004133176347055865026311692244"){ 
//Reset password

Which becomes:

if("0e66507019969427134894567494305185566735" == "0e07766915004133176347055865026311692244"){ 
//Reset password

Due to the loose comparision used (==), the above evaluates to TRUE, which would then allow the attacker to change
the password of the account.

You can try this yourself using the interactive PHP interpreter:

var_dump(sha1('aaroZmOk') == "0e111");
var_dump(sha1('aaroZmOk') == "0e222");
var_dump(sha1('aaroZmOk') == sha1('w9KASOk6Ikap'));

(+) References and more information

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.