SOCA Access Control System SQL Injection Vulnerability Allowing Authentication Bypass and Privileged Access

Multiple SQL injection vulnerabilities have been identified in the SOCA Access Control System version 180612. These vulnerabilities allow attackers to manipulate database queries by injecting arbitrary SQL code through unvalidated POST parameters. Exploiting these injection flaws can bypass authentication, retrieve password hashes, and gain administrative access with full system privileges. The vulnerabilities are present in 'Login.php' and 'Card_Edit_GetJson.php'.

Impact

Exploitation of these vulnerabilities can lead to unauthorized access with administrative privileges, allowing attackers to bypass physical access controls, unlock doors, and manipulate user data within the application.

Reproduction

The vulnerability can be reproduced by sending a POST request to 'Login/Login.php' with injected SQL code in the 'pos_id' or 'ID' parameter. This injection bypasses authentication and grants access to the application. Once authenticated, SQL injection can be exploited in 'Card/Card_Edit_GetJson.php' by injecting SQL code through the 'cidx' parameter to access sensitive information such as password hashes.