Skip to content

Instantly share code, notes, and snippets.

@th4s1s

th4s1s/student-management-system-sqli.md Secret

Created January 2, 2025 10:18
Show Gist options
  • Save th4s1s/e8488d7e35d789581979f3b7e4c48b1f to your computer and use it in GitHub Desktop.
Save th4s1s/e8488d7e35d789581979f3b7e4c48b1f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
student-management-system-sqli.md

Student Management System has SQL Injection vulnerability via $id paremeter in /config/DbFunction.php.

Project

https://code-projects.org/student-management-system-using-php-source-code/

Vulnerability

/config/DbFunction.php - $sid paremeter.

Description

The SQL Injection vulnerability exists in diretory /config/DbFunction.php where this function query the subject $sid parameter into the SQL statement without any restriction, validation or sanitization. An attacker could exploit this vulnerability to get Remote Code Execution (RCE).

function showSubject1($sid){
	
	$db = Database::getInstance();
	$mysqli = $db->getConnection();
	$query = "SELECT * FROM subject where subid='$sid' ";
	$stmt= $mysqli->query($query);
	return $stmt;
	
}

PoC

Get OS-shell and execute command: image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment