| 제목 | Gas Agency Management System have Vulnerability |
|---|
| 설명 | In the login interface of this CMS, the parameters are not escaped, and no protection measures are set, which leads to SQL injection. The attacker can log in to the background through the universal password.
The file location is gasmark/login.php, part of the source code is as follows
```
if($_POST) {
$username = $_POST['username'];
$password = $_POST['password'];
//echo $password;exit;
if(empty($username) || empty($password)) {
if($username == "") {
$errors[] = "Username is required";
}
if($password == "") {
$errors[] = "Password is required";
}
} else {
$sql = "SELECT * FROM users WHERE username = '$username'";
$result = $connect->query($sql);
```
When we use the following payload, we can bypass the login verification and go directly to the postscript
```
username: 1' or 1=1#
password: 1
```
https://img-blog.csdnimg.cn/e1f59036a87b46529b2403445caf85c2.png
https://img-blog.csdnimg.cn/3232cb47c9ac418e983f6b7145bcf4d7.png
source link
https://www.sourcecodester.com/php/15586/gas-agency-management-system-project-php-free-download-source-code.html |
|---|
| 원천 | ⚠️ https://www.sourcecodester.com/visual-basic-net/15538/college-attendance-system-cas.html |
|---|
| 사용자 | quan9i (UID 30726) |
|---|
| 제출 | 2022. 08. 11. PM 04:25 (4 연령 ago) |
|---|
| 모더레이션 | 2022. 08. 12. PM 12:51 (20 hours later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 206248 [SourceCodester Gas Agency Management System gasmark/login.php 사용자 이름 SQL 주입] |
|---|
| 포인트들 | 20 |
|---|