# Exploit Title: My Admin (Powered By Learning Impact) - SQL Injection Authentication Bypass # Date: 2025-11-26 # Exploit Author: 6ickzone # Vendor Homepage: https://learningimpactmodel.com/ # Software Link: https://learningimpactmodel.com/siteadmin/index.php # Category: Webapps # CWE: CWE-89 --- ## Description: A critical SQL Injection (SQLi) vulnerability was discovered in the sign-in mechanism of the "My Admin" portal, powered by "Learning Impact". The vulnerability allows an unauthenticated attacker to bypass the login page entirely by manipulating the input fields (Username and/or Password). The application fails to properly neutralize special elements in the input before it is used in the SQL query, leading to an exploitable condition. ### Proof of Concept (PoC): An attacker can utilize the following generic payload in the Username field to inject a condition that forces the WHERE clause to evaluate as true, bypassing the required password check. **Payload:** `' OR 1=1 LIMIT 1 -- -+` When the server processes this input, the resulting SQL query authenticates the attacker as the first user found in the database (often an Administrator or the highest-privileged account), granting unauthorized access to the administration panel. ### Mitigation: Developers must implement **Prepared Statements (Parameterized Queries)** to ensure all user input is treated as data, not executable code. Additionally, implementing input validation and adopting the principle of least privilege for the database connection are strongly recommended to prevent this class of attack.