📄 CloudClassroom-PHP-Project 1.0 SQL Injection

🗓️ 25 Jun 2025 00:00:00Reported by Tansique DasariType

packetstorm🔗 packetstorm.news👁 168 Views

Critical SQL injection in CloudClassroom Project loginlinkadmin.php enables unauthenticated admin access.

Reporter	Title	Published	Views	Family All 12
GithubExploit	Exploit for SQL Injection in Vishalmathur Cloudclassroom-Php_Project	11 Jan 202618:05	–	githubexploit
GithubExploit	Exploit for SQL Injection in Vishalmathur Cloudclassroom-Php_Project	18 Jun 202518:19	–	githubexploit
Circl	CVE-2025-26198	10 Jun 202506:56	–	circl
CNNVD	CloudClassroom-PHP-Project 安全漏洞	18 Jun 202500:00	–	cnnvd
CVE	CVE-2025-26198	18 Jun 202500:00	–	cve
Cvelist	CVE-2025-26198	18 Jun 202500:00	–	cvelist
EUVD	EUVD-2025-18659	3 Oct 202520:07	–	euvd
NVD	CVE-2025-26198	18 Jun 202518:15	–	nvd
OSV	CVE-2025-26198	18 Jun 202518:15	–	osv
Positive Technologies	PT-2025-26183 · Unknown · Cloudclassroom-Php Project	18 Jun 202500:00	–	ptsecurity

# 🛡️ CVE Disclosure: CVE-2025-26198 — SQL Injection in CloudClassroom-PHP-Project
    
    **Disclosure Date:** 18 June 2025  
    **CVE ID:** CVE-2025-26198  
    **Severity:** CRITICAL (CVSS 9.8)
    
    ---
    
    ## 🧩 Summary
    
    A critical SQL Injection vulnerability exists in `CloudClassroom-PHP-Project v1.0`, specifically within the `loginlinkadmin.php` endpoint. The application directly incorporates unsanitized user inputs into SQL queries, allowing unauthenticated attackers to bypass authentication and gain full administrative access.
    
    This issue has been assigned the identifier **CVE-2025-26198**. At the time of public disclosure, **no official patch** was available.
    
    ---
    
    ## 📦 Affected Product
    
    - **Vendor:** Independent (mathurvishal)
    - **Project:** [CloudClassroom-PHP-Project](https://github.com/mathurvishal/CloudClassroom-PHP-Project)
    - **Version:** v1.0
    - **File:** `loginlinkadmin.php`
    - **Vulnerable Endpoint:**  
      `http://localhost/CloudClassroom-PHP-Project-master/loginlinkadmin.php`
    
    ---
    
    ## 🔬 Vulnerability Details
    
    The admin login mechanism uses unsanitized input directly in SQL queries without any input validation or prepared statements:
    
    ```php
    $query = "SELECT * FROM admin WHERE username='$username' AND password='$password'";
    ```
    
    This allows for injection payloads such as:
    
    ```sql
    Username: ' OR '1'='1
    Password: [any value]
    ```
    
    This bypasses authentication logic by evaluating to a true condition, thereby granting access to the admin dashboard.
    
    ---
    
    ## 📌 CWE Classification
    
    | CWE ID | Title                                                                 |
    |--------|-----------------------------------------------------------------------|
    | [CWE-89](https://cwe.mitre.org/data/definitions/89.html) | Improper Neutralization of Special Elements used in an SQL Command |
    
    ---
    
    ## 📊 CVSS v3.1 Score
    
    | Score | Severity | Vector String                              |
    |-------|----------|---------------------------------------------|
    | 9.8   | CRITICAL | `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` |
    
    ---
    
    ## 💥 Impact
    
    A successful exploitation could result in:
    
    - ✅ Full **authentication bypass**
    - 🔓 **Unauthorized access** to privileged admin features
    - 🛠️ Potential **data leakage or manipulation** using `UNION`-based SQL injection
    - ⚠️ Full **compromise of the backend database**
    
    ---
    
    ## 🧪 Proof of Concept (PoC)
    
    ### 1. Clone the Repository
    
    ```bash
    git clone https://github.com/mathurvishal/CloudClassroom-PHP-Project.git
    ```
    
    ### 2. Host Locally
    
    Use XAMPP/LAMP to deploy the project and navigate to:
    
    ```
    http://localhost/CloudClassroom-PHP-Project-master/loginlinkadmin.php
    ```
    
    ### 3. Payload Injection
    
    Enter the following credentials in the login form:
    
    - **Username:** `' OR '1'='1`
    - **Password:** `[any value]`
    
    You will be logged in as the first admin user, verifying successful SQL injection.
    
    ---
    
    ## 🔐 Recommendations
    
    - ✅ Replace dynamic SQL queries with **prepared statements** (`mysqli_prepare()` or **PDO**).
    - 🔍 Perform **input validation and sanitization** for all user inputs.
    - 🧱 Deploy a **Web Application Firewall (WAF)** to block known SQL injection patterns.
    - 🛡️ Conduct **regular code audits** and **penetration testing** for early detection.
    
    ---
    
    ## 📆 Timeline
    
    | Event                    | Date           |
    |--------------------------|----------------|
    | Vulnerability Discovered | 14 April 2025  |
    | Public Disclosure        | 18 June 2025   |
    | Patch Available          | ❌ Not available as of disclosure |
    
    ---
    
    ## 🙋‍♂️ Credits
    
    This vulnerability was discovered and responsibly disclosed by:
    
    **Tansique Dasari**  
    🔗 [GitHub](https://github.com/phantomtrace)  
    ✉️ [[email protected]](mailto:[email protected])
    
    ---
    
    ## 🔗 References
    
    - [OWASP - SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)
    - [PortSwigger - SQL Injection](https://portswigger.net/web-security/sql-injection)
    - [CloudClassroom GitHub Repository](https://github.com/mathurvishal/CloudClassroom-PHP-Project)
    - [CVE-2025-26198 on CVE.org](https://cve.org/CVERecord?id=CVE-2025-26198)
    
    ---
    
    > 💬 *This advisory is published independently due to lack of vendor response.*

25 Jun 2025 00:00Current

8.5High risk

Vulners AI Score8.5

CVSS 3.19.8

EPSS0.00994

SSVC