## https://sploitus.com/exploit?id=D092E8A4-E4CE-50B4-88D6-4DFCE3AD8CC2
# CVE-2025-66947
SQL Injection in krishanmuraiji SMS v1.0 (CVE-2025-66947)
# CVE-2025-66947: SQL Injection in krishanmuraiji SMS v1.0
## Description
A time-based blind SQL injection vulnerability exists in krishanmuraiji SMS v1.0 within the administrative module. The vulnerable endpoint /studentms/admin/edit-class-detail.php fails to validate the editid GET parameter, which is directly concatenated into an SQL query. An attacker can trigger controlled time delays using SQL SLEEP() to infer database contents, potentially leading to full database compromise.
## Affected Product
- krishanmuraiji SMS v1.0
- Repository: https://github.com/krishanmurariji/SMS
## Affected Component
/studentms/admin/edit-class-detail.php
Parameter: editid (GET)
## Attack Vector
Example payload:
## Proof of Concept
Observed response delays confirm time-based SQL injection:
- sleep(15) โ 15 seconds
- sleep(6) โ 6 seconds
- sleep(3) โ 3 seconds
## Impact
Successful exploitation may result in database disclosure, data manipulation, privilege escalation, and full compromise of backend data.
## Mitigation
- Use prepared statements
- Validate and cast input parameters
- Avoid dynamic SQL query construction
- Enforce least-privilege database access
## CVE ID
CVE-2025-66947
## Discoverer
Ranjan Kumar