| 제목 | DayCloud StudentManage 1.0 SQL Injection |
|---|
| 설명 | ## Title: SQL Injection Vulnerability in StudentManage
**BUG_Author:** sageee
**Vendor:** [StudentManage GitHub Repository](https://gitee.com/DayCloud/student-manage)
**Software:** [StudentManage](https://gitee.com/DayCloud/student-manage)
**Vulnerability Url:**
- `/admin/adminScoreUrl`
## Description:
1. **SQL Injection via User Login:**
- In the url `/admin/adminScoreUrl`, the login function does not properly sanitize user input before using it in an SQL query.
- This can be exploited by sending a crafted request to the login endpoint with malicious SQL code.
2. **Exploiting the SQL Injection:**
- By injecting SQL, an attacker can manipulate the SQL query to bypass authentication or extract sensitive information from the database.
3. **Example SQL Injection Payload:**
- The following payload can be used to bypass authentication:
```
http://<target-ip>/StudentManage/adminScoreUrl?query=1' AND (SELECT 4668 FROM (SELECT(SLEEP(5)))Edrf) AND 'CAla'='CAla
```
4. **Requesting the Login Endpoint:**
- Make a request to the login endpoint with the SQL injection payload:
```
http://<target-ip>/StudentManage/adminScoreUrl?query=1
```
5. **Verifying the Exploit:**
- If the injection is successful, Attackers can use tools to read databases |
|---|
| 사용자 | sageee (UID 82251) |
|---|
| 제출 | 2025. 03. 03. AM 11:02 (1 년도 ago) |
|---|
| 모더레이션 | 2025. 03. 15. PM 09:31 (12 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 299818 [DayCloud StudentManage 1.0 Login Endpoint /admin/adminScoreUrl 질문 SQL 주입] |
|---|
| 포인트들 | 17 |
|---|