Bank Locker Management System SQL Injection
- Exploit Title: Bank Locker Management System - SQL Injection
- Application: Bank Locker Management System
- Date: 12.09.2023
- Bugs: SQL Injection
- Exploit Author: SoSPiro
- Vendor Homepage: https://phpgurukul.com/
- Software Link: https://phpgurukul.com/bank-locker-management-system-using-php-and-mysql/
- Tested on: Windows 10 64 bit Wampserver
Description:
This report highlights a critical SQL Injection vulnerability discovered in the “Bank Locker Management System” application. The vulnerability allows an attacker to bypass authentication and gain unauthorized access to the application.
Vulnerability Details:
- Application Name: Bank Locker Management System
- Software Link: Download Link
- Vendor Homepage: Vendor Homepage
Vulnerability Description:
The SQL Injection vulnerability is present in the login mechanism of the application. By providing the following payload in the login and password fields:
Payload: admin' or '1'='1-- -
An attacker can gain unauthorized access to the application with administrative privileges.
Proof of Concept (PoC):
- Visit the application locally at
http://blms.local(assuming it’s hosted on localhost). - Navigate to the “banker” directory:
http://blms.local/banker/ - In the login and password fields, input the following payload:
admin' or '1'='1-- -