SKC Infotech Admin Bypass & SQL Injection Vulnerability

CVE Category Price Severity
N/A CWE-89 N/A High
Author Risk Exploitation Type Date
Unknown High Remote 2024-02-08

CVSS vector description

Our sensors found this exploit at:

Below is a copy:

SKC Infotech Admin Bypass & SQL Injection Vulnerability
# Exploit Title : SKC Infotech Admin Bypass & SQL Injection Vulnerability
# Discovered By : MrHoudini
# Contact Me : [email protected]
# Date : 08-02-2024
# Vendor Homepage :
[!] Description.:
SQL injection attacks usually targets database and all of them are the results of programming errors.
If programmer couldn't checked the inputs correctly, so the attacker can send his/her commands to database.
If programmer do this errors at admin page input and the inputs haven't been checked correctly,
occur a very bad thing that allow attacker login to administrator panel
with combination the passwords that turn the result to True in php.
Request Method :
[+] POST
Vulnerable Module:
[+] Login
Vulnerable Parameter:
[+](username) and (Password)
[!] Bug.........:
$result=mysql_query("select * from login where user='$user' and pswd='$pswd'");
echo "bad user";
[!] PoC.........:
To bypass the admin login: '= 'or'
[!] Live Demo. For Admin Page :
Url Target Admin Panel :
[!] Live Demo. For SQL Injection :
[!] Solution...:
PHP functions can be averted with the bug
Check input variable:
And other ctype & gettype family functions
*String entries with the database functions
--mysql_real_escape_string or sqlite_escape_string or ....
-If functions are not available in the database
--str_replace , addslashes

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.