FreeSMS Authentication Bypass Vulnerability via Boolean-Based Blind SQL Injection

A boolean-based blind SQL injection vulnerability has been identified in FreeSMS version 2.1.2. This vulnerability resides in the password parameter of the login endpoint, allowing unauthenticated attackers to bypass authentication. Exploitation involves injecting SQL code that manipulates the application's database queries. Once authenticated, attackers can change the password of any user through the profile update function.

Impact

Exploitation of this vulnerability allows for authentication bypass, enabling attackers to log in as any known user and change their password.

Reproduction

To reproduce this vulnerability, send a POST request to '/pages/crc_handler.php?method=login' with a known username and a crafted SQL injection payload in the password parameter. The payload should be designed to exploit the application's SQL query handling, such as by using a boolean-based injection that manipulates the SQL query logic. If the injection is successful, the response will indicate that authentication has been bypassed. After bypassing authentication, the same session can be used to send a request to update the user's password via the profile update function.