cbcvebase.
CVE-2023-33338
published 2023-05-23

CVE-2023-33338: Old Age Home Management 1.0 is vulnerable to SQL Injection via the username parameter.

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.66%
88.2th percentile
Old Age Home Management 1.0 is vulnerable to SQL Injection via the username parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
phpgurukulold_age_home_management_system

Detection & IOCsextracted from sources · hover to see the quote

url/admin/login.php
commandusername=vaday%27+or+1%3D1%23&password=password&submit=
  • Detect SQL injection auth-bypass attempt: POST to /admin/login.php with a username parameter containing a URL-encoded single-quote and OR 1=1 comment payload (vaday' or 1=1#)
  • Successful exploitation results in HTTP 200 on /admin/dashboard.php with body containing 'Change Password' and 'Old Age Home Management System|| Dashboard' — monitor for unauthenticated access to the dashboard endpoint following a login POST
  • Content-Type is application/x-www-form-urlencoded; inspect POST body to /admin/login.php for SQL metacharacters (single-quote, OR, comment sequences) in the username field
  • ·The Nuclei template requires two sequential requests: first a POST to /admin/login.php with the SQLi payload, then a GET to /admin/dashboard.php to confirm auth-bypass success. Both conditions must be met (HTTP 200 + specific body strings) for a true positive.
  • ·Vulnerability is unauthenticated (PR:N, UI:N) and network-reachable (AV:N), meaning no prior credentials or user interaction are required for exploitation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.