BiggiDroid Simple PHP CMS SQL Injection Vulnerability in Admin Login Component

A SQL injection vulnerability has been identified in BiggiDroid Simple PHP CMS version 1.0. The issue arises in the Admin Login component, specifically within the file '/admin/login.php'. The vulnerability allows remote attackers to manipulate the 'Username' argument, leading to unauthorized access by bypassing authentication. This exploitation is possible by injecting SQL code that is executed by the application's database, effectively allowing attackers to log in as an administrator without the correct password.

Impact

Exploitation of this vulnerability allows for SQL injection, which could be used to manipulate the application's database. In this case, it is exploited to bypass authentication and gain unauthorized access to the admin panel, achieving a 'universal user' takeover.

Reproduction

To reproduce this vulnerability, navigate to the admin login page of a BiggiDroid Simple PHP CMS 1.0 installation. In the password field, enter a crafted payload that includes SQL injection syntax, such as 'admin' OR '1'='1'--. This input exploits the application's SQL query handling by injecting code that alters the query's logic, bypassing authentication and granting access to the admin panel.