# Exploit Title : Peruestudio CMS Bypass & SQL Injection # Google Dork : intext:"Designed by www.peruestudio.com" # Discovered By : MrHoudini # Contact Me : Mr.Houdini77@Gmail.com # My WebSite: www.MrHoudini.ir # Date : 14-12-2017 # Vendor Homepage : http://www.peruestudio.com [!] Description: SQL injection attacks usually targets database and all of them are the results of programming errors. If programmer couldn't checked the inputs correctly, so the attacker can send his/her commands to database. If programmer do this errors at admin page input and the inputs haven't been checked correctly, occur a very bad thing that allow attacker login to administrator panel with combination the passwords that turn the result to True in php. Request Method : [+] POST Vulnerable Module: [+] Login Vulnerable Parameter: [+](username) and (Password) ================================================== [!] Bug.........: <?php require_once('any.php'); if($_POST['submit']) { $user=$_POST['user']; $pswd=$_POST['pswd']; $result=mysql_query("select * from login where user='$user' and pswd='$pswd'"); $rowcount=mysql_num_rows($result); if($rowcount>0) { header('Location:any.php'); } else { echo "bad user"; } } ?> ================================================== [!] SQL Injection : Demo : http://www.spfh.org.pe/categorias-detalles.php?id=27 ================================================== [!] PoC.........: To bypass the admin login: Username : admin Password : 123456 ================================================== [!] Live Demo For Admin Page : http://spfh.org.pe/spadmin/login.php http://fmwservicios.com/spadmin/login.php ================================================== [!] Solution...: PHP functions can be averted with the bug Check input variable: --ctype_digit --ctype_alnum And other ctype & gettype family functions *String entries with the database functions --mysql_real_escape_string or sqlite_escape_string or .... -If functions are not available in the database --str_replace , addslashes