Cemetry mapping and information system 1.0 user_email sql injection (authentication bypass) Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2021-01-26 |
Type : webapps |
Platform : php
This exploit / vulnerability Cemetry mapping and information system 1.0 user_email sql injection (authentication bypass) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: Cemetry Mapping and Information System 1.0 - 'user_email' Sql Injection (Authentication Bypass)
# Exploit Author: Marco Catalano
# Date: 2021-01-25
# Vendor Homepage: https://www.sourcecodester.com/php/12779/cemetery-mapping-and-information-system-using-phpmysqli.html
# Software Link: https://www.sourcecodester.com/download-code?nid=12779&title=Cemetery+Mapping+and+Information+System+Using+PHP%2FMySQLi+with+Source+Code
# Affected Version: 1.0
# Vulnerable parameter: "user_email" (POST method)
# Tested on: Linux, PHP/7.4.11
Explaination:
The userAuthentication function defined in "/include/accounts.php" implements the following code:
$mydb->setQuery("SELECT * FROM `tbluseraccount` WHERE `U_USERNAME` = '". $U_USERNAME ."' and `U_PASS` = '". $h_pass ."'");
which is called when trying to log into the administrative panel at "/admin/login.php".
Proof Of Concept:
The user input is not properly sanitized and this leads to authentication bypass through the classic "<username>' or '1' = '1 -- -" where <username> has to be a valid username. For example, the default username is "janobe".