Tutorial Patch Bypass Admin Login
September 18, 2019
Halo temen-temen tadi gua nemu web bisa di bypass admin, nah dari pada di acak-acak mending gua perbaikin aja.
Nah ini source code login di web tersebut.
<?php
session_start();
include('includes/config.php');
if(isset($_POST['login']))
{
$email=$_POST['username'];
$password=md5($_POST['password']);
$sql ="SELECT UserName,Password FROM admin WHERE UserName='$email' and Password='$password'";
$result=mysqli_query($conn,$sql);
if($result){
$noofresult=mysqli_num_rows($result);
if($noofresult>0){
while($row=mysqli_fetch_assoc($result)){
$usrname=$row['FullName'];
}
$_SESSION['alogin']=$_POST['username'];
echo "<script type='text/javascript'> document.location = 'change-password.php'; </script>";
}else{
echo "<script>alert('Invalid Details');</script>";
}
}
}
?>
Bagaimana cara patch nya?, gampang banget temen-temen kalian cuman perlu menambahkan
$email=addslashes(trim($_POST['username']));
Seperti ini
<?php
session_start();
include('includes/config.php');
if(isset($_POST['login']))
{
$email=addslashes(trim($_POST['username']));
$password=addslashes(trim(md5($_POST['password'])));
$sql ="SELECT UserName,Password FROM admin WHERE UserName='$email' and Password='$password'";
$result=mysqli_query($conn,$sql);
if($result){
$noofresult=mysqli_num_rows($result);
if($noofresult>0){
while($row=mysqli_fetch_assoc($result)){
$usrname=$row['FullName'];
}
$_SESSION['alogin']=$_POST['username'];
echo "<script type='text/javascript'> document.location = 'change-password.php'; </script>";
}else{
echo "<script>alert('Invalid Details');</script>";
}
}
}
?>
Udah deh hahah gampang banget kan, sekian tutorial dari gua maaf kalau ada salah kata