header-logo
Suggest Exploit
vendor:
School Management System
by:
Samiran Santra
9.8
CVSS
CRITICAL
SQL Injection
89
CWE
Product Name: School Management System
Affected Version From: 3.0.4
Affected Version To: 3.0.4
Patch Exists: NO
Related CWE: CVE-2018-7477
CPE: a:phpscriptsmall:school_management_system:3.0.4
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Windows
2018

SQL Injection exists in PHP Scripts Mall School Management Script 3.0.4.

An SQL injection vulnerability exists in PHP Scripts Mall School Management Script 3.0.4. An attacker can exploit this vulnerability by entering a malicious SQL query in the Username and Password fields of the parent_login.php page. This will allow the attacker to login as an admin user.

Mitigation:

Input validation should be used to prevent SQL injection attacks.
Source

Exploit-DB raw data:

# Exploit Title: SQL Injection exists in PHP Scripts Mall School Management Script 3.0.4.
# Date: 26/02/2018
# Exploit Author: Samiran Santra
# Vendor Homepage: https://www.phpscriptsmall.com
# Software Link: https://www.phpscriptsmall.com/product/school-management-system
# Version: v3.0.4
#Tested on: Windows 
# Website: https://indiancybersecuritysolutions.com/
# CVE: CVE-2018-7477
# Category: webapps


Proof of Concept


1.First go to this link- http://localhost/PATH/parents/Parent_module/parent_login.php

2.In Username and Password filed just type sql-injection cheat-code (x'or'x'='x)

3.Now you can successfully login as a admin user

Navigation

Suggest Exploit

Services By CQR