Privilege Escalation — Unauthenticated access to Admin Portal (CVE-2020–35745)

Ashish Dhone
3 min readJan 6, 2021

Introduction

This article is a write up on how I found a Privilege Escalation Vulnerability where an attacker can access complete admin portal without authentication which gave me a new CVE-2020–35745.

What is Privilege Escalation?

Privilege escalation occurs when a user gets access to more resources or functionality than they are normally allowed, and such elevation or changes should have been prevented by the application. This is usually caused by a flaw in the application. The result is that the application performs actions with more privileges than those intended by the developer or system administrator.

Usually, people refer to vertical escalation when it is possible to access resources granted to more privileged accounts (e.g., acquiring administrative privileges for the application), and to horizontal escalation when it is possible to access resources granted to a similarly configured account (e.g., in an online banking application, accessing information related to a different user).

Vulnerability exploitation

I have found this vulnerability in Hospital Management System — 4.0 of PHPGURUKUL.

Hospital Management System is a web application for the hospital which manages doctors and patients. In this project, they use PHP and MySQL database.
The entire project mainly consists of 3 modules, which are

  1. Admin module
  2. User module
  3. Doctor module

So we need installation process and source code to get started, we get complete details here.

Once we are done with the setup, we get portal to login for all modules.

So I Logged into User Module with provided credentials I was getting below dashboard.

Then logged in with Admin Module with provided credentials getting below admin dashboard, so till here everything was good.

--

--

Ashish Dhone

Top 120 in the World at Google Hacker’s Ranking & Best Bug Hunter of the Year 2021 | Cyber CounterIntelligence | SRT | CEH | CEH Master | CHFI | CVE x 4