Enrollment System Project v1.0 - SQL Injection Authentication Bypass (SQLI)
# Exploit Title: Enrollment System Project v1.0 - SQL Injection Authentication Bypass (SQLI)
# Date of found: 18/05/2023
# Exploit Author: VIVEK CHOUDHARY @sudovivek
# Version: V1.0
# Tested on: Windows 10
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14444/enrollment-system-project-source-code-using-phpmysql.html
# CVE: CVE-2023-33584
# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33584
Vulnerability Description -
Enrollment System Project V1.0, developed by Sourcecodester, has been found to be vulnerable to SQL Injection (SQLI) attacks. This vulnerability allows an attacker to manipulate the SQL queries executed by the application. The system fails to properly validate user-supplied input in the username and password fields during the login process, enabling an attacker to inject malicious SQL code. By exploiting this vulnerability, an attacker can bypass authentication and gain unauthorized access to the system.
Steps to Reproduce -
The following steps outline the exploitation of the SQL Injection vulnerability in Enrollment System Project V1.0:
1.Launch the Enrollment System Project V1.0 application.
2.Open the login page by accessing the URL: http://localhost/enrollment/login.php.
3.In the username and password fields, insert the following SQL Injection payload shown inside brackets to bypass authentication: {' or 1=1 #}.
4.Click the login button to execute the SQL Injection payload.
As a result of successful exploitation, the attacker gains unauthorized access to the system and is logged in with administrative privileges.Enrollment System Project v1.0: A Case Study in SQL Injection Authentication Bypass
On May 18, 2023, cybersecurity researcher Vivek Choudhary (@sudovivek) uncovered a critical vulnerability in the Enrollment System Project v1.0, a popular PHP-based web application hosted on Sourcecodester. The flaw, identified as CVE-2023-33584, enables attackers to bypass authentication through a simple SQL Injection (SQLI) exploit—highlighting how even basic applications can become gateways to full system compromise if input validation is neglected.
Understanding SQL Injection: The Core Threat
SQL Injection is one of the most prevalent and dangerous web vulnerabilities. It occurs when an application fails to sanitize user input before incorporating it into SQL queries. Malicious payloads can manipulate database logic, allowing attackers to extract sensitive data, modify records, or—most critically—bypass authentication.
In the case of Enrollment System Project v1.0, the login mechanism relies on a direct SQL query using user-provided credentials. Without proper sanitization or parameterized queries, attackers can inject code that alters the logic of the authentication check.
Exploitation Steps: How the Bypass Works
Here’s how the vulnerability can be exploited in practice:
- Access the login page at
http://localhost/enrollment/login.php. - Enter the following payload in the username field:
' or 1=1 #. - Leave the password field empty or insert any value (it’s ignored due to the SQL logic).
- Click the Login button.
As a result, the application executes a malformed SQL query that effectively evaluates to TRUE regardless of actual credentials. This allows the attacker to gain unauthorized access—often with administrative privileges, depending on how the database roles are defined.
Real-World Code Example: The Vulnerable Query
// Vulnerable PHP code snippet from login.php
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
$result = mysqli_query($connection, $query);
Explanation: This code directly concatenates user input into a SQL query. The absence of prepared statements or input validation makes it susceptible to SQL Injection. When an attacker inputs ' or 1=1 #, the resulting query becomes:
SELECT * FROM users WHERE username = '' or 1=1 # AND password = 'anything'
Because 1=1 is always true, the entire condition evaluates to TRUE, and the database returns any matching record—effectively granting access without valid credentials.
Why This Exploit is So Dangerous
Despite its simplicity, this attack demonstrates several critical cybersecurity principles:
- Minimal effort, maximum impact: The exploit requires no advanced tools—just a browser and basic knowledge of SQL.
- Authentication bypass: The attacker gains full access without knowing the actual password, undermining the core security of any system.
- Database exposure: If the query returns user data, attackers can extract sensitive information like email addresses, role assignments, or even other passwords.
Moreover, this vulnerability is particularly dangerous in educational or institutional systems where enrollment data may include personal identifiers, grades, or access permissions.
Corrective Measures: Securing the Application
To prevent such vulnerabilities, developers must adopt secure coding practices. Here’s a corrected version using prepared statements:
// Secure PHP code using prepared statements
$username = $_POST['username'];
$password = $_POST['password'];
$stmt = $connection->prepare("SELECT * FROM users WHERE username = ? AND password = ?");
$stmt->bind_param("ss", $username, $password);
$stmt->execute();
$result = $stmt->get_result();
Explanation: The prepare() method creates a parameterized query. Input values are bound separately, preventing SQL injection. Even if an attacker submits ' or 1=1 #, the database treats it as a literal string—not executable SQL.
Best Practices for Developers
| Practice | Benefit |
|---|---|
| Use prepared statements | Eliminates SQL injection risk by separating code from data. |
| Input validation | Filters out dangerous characters like ', ;, OR. |
| Use parameterized queries | Enforces secure data handling across all database interactions. |
| Implement logging and monitoring | Detects suspicious login attempts and potential exploits. |
Conclusion: A Wake-Up Call for Open-Source Developers
The Enrollment System Project v1.0 vulnerability serves as a stark reminder that even seemingly harmless open-source projects can harbor critical flaws. Developers must prioritize security from the outset—not as an afterthought. The CVE-2023-33584 exploit underscores the importance of:
- Adopting secure coding standards.
- Testing applications for common vulnerabilities.
- Regularly updating and patching code.
For organizations deploying such systems, conducting vulnerability assessments and enforcing input sanitization is not optional—it’s essential for protecting data integrity and user trust.