Authentication Bypass
Discovering an unusual column, cle, present in the planning_user table of the target SOPlanning instance led to an online research effort that resulted in finding an article showcasing multiple vulnerabilities present in the SOPlanning version below 1.53.02
/Practice/BitForge/3-Exploitation/attachments/{9D3713C5-2568-43D6-88B4-CB8CC3B2855C}.png)
/Practice/BitForge/3-Exploitation/attachments/{24E5CA67-536F-4588-80EF-B5E09A352CE6}.png)
/Practice/BitForge/2-Enumeration/attachments/{32094E1D-AF9C-46A4-9977-F18E5DF61B37}.png)
Reading further into the article reveals that it is possible to bypass the authentication using both password and cle due to the way the www/process/login.php file processes the “alternative” authentication.
Although the vendor has fixed the issues, the issues themselves have not been assigned CVE
/Practice/BitForge/3-Exploitation/attachments/{D22CA58F-798F-4718-BC7A-D21EF0E57B5B}.png)
Using cle|password in the password field
/Practice/BitForge/3-Exploitation/attachments/{734D4AB6-F19B-4A62-A548-5EA94F366EAB}.png)
Authentication successfully “bypassed”
Now that I have authenticated to the target SOPlanning instance, I can look into the RCE vulnerability