Try   HackMD

PHPGurukul Online Shopping Portal Project 2.0 - SQL Injection Vulnerability at admin login page in [/shopping/admin/index.php]

CVE-2024-9326

Exploit Title: PHPGurukul Online Shopping Portal Project 2.0 - SQL Injection

Exploit Author: SeaWind

Vendor Homepage: https://phpgurukul.com/

Software Link: https://phpgurukul.com/shopping-portal-free-download/

Version: 2.0

Vulnerable endpoint: http://localhost/shopping/admin/index.php

Tested on : Windows 11, XAMPP

Description and Impact

  • In admin login page (http://localhost/shopping/admin/index.php ) an SQL Injection vulnerability was found at username parameter. This will allow attackers to access the admin panel page (for example http://localhost:88/admin/todays-orders.php) without any permission.

Step to reproduce

  • First visit page http://localhost/shopping/admin/index.php

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

  • Then at username parameter, add admin' -- - as the payload and in the password parameter, fill out with anything. In my example, I will fill username parameter with payload admin' -- - and 123 as the payload for password parameter

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

  • Finally click login button, and with that, I was able to login to admin panel page without knowing the real password

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Root Cause Analysis




























<?php
session_start();
error_reporting(0);
include("include/config.php");
if(isset($_POST['submit']))
{
	$username=$_POST['username'];
	$password=md5($_POST['password']);
$ret=mysqli_query($con,"SELECT * FROM admin WHERE username='$username' and password='$password'");
$num=mysqli_fetch_array($ret);
if($num>0)
{
$extra="change-password.php";
$_SESSION['alogin']=$_POST['username'];
$_SESSION['id']=$num['id'];

header("location:change-password.php");
exit();
}
else
{
$_SESSION['errmsg']="Invalid username or password";
header("location:index.php");
exit();
}
}
?>
  • This is the source code for user login in /shopping/admin/index.php. In the line 9 of the code, the query SELECT * FROM admin WHERE username='$username' and password='$password' doesn't have any validation or variable check before passing to this query at $username variable make it vulnerable to SQL Injection.
Last changed by 
SeaWind
0
1341

Read more

CVE-2024-9323

This vulnerability was found in

Oct 1, 2024
ISITDU CTF Quals 2023 WriteUp

Author: SeaWind (J4ckP0t)

Oct 17, 2023
ASIS CTF QUALS 2023 Writeup

Author: SeaWind (J4ckP0t)

Oct 8, 2023
ASCIS ASEAN 2023 WriteUp

Author: SeaWind (J4ckP0t)

Oct 8, 2023
Read more from SeaWind
Published on HackMD