| Title | DayCloud StudentManage 1.0 SQL Injection |
|---|
| Description | ## Title: SQL Injection Vulnerability in StudentManage
**BUG_Author:** sageee
**Vendor:** [StudentManage GitHub Repository](https://gitee.com/DayCloud/student-manage)
**Software:** [StudentManage](https://gitee.com/DayCloud/student-manage)
**Vulnerability Url:**
- `/admin/adminScoreUrl`
## Description:
1. **SQL Injection via User Login:**
- In the url `/admin/adminScoreUrl`, the login function does not properly sanitize user input before using it in an SQL query.
- This can be exploited by sending a crafted request to the login endpoint with malicious SQL code.
2. **Exploiting the SQL Injection:**
- By injecting SQL, an attacker can manipulate the SQL query to bypass authentication or extract sensitive information from the database.
3. **Example SQL Injection Payload:**
- The following payload can be used to bypass authentication:
```
http://<target-ip>/StudentManage/adminScoreUrl?query=1' AND (SELECT 4668 FROM (SELECT(SLEEP(5)))Edrf) AND 'CAla'='CAla
```
4. **Requesting the Login Endpoint:**
- Make a request to the login endpoint with the SQL injection payload:
```
http://<target-ip>/StudentManage/adminScoreUrl?query=1
```
5. **Verifying the Exploit:**
- If the injection is successful, Attackers can use tools to read databases |
|---|
| User | sageee (UID 82251) |
|---|
| Submission | 03/03/2025 11:02 (1 Year ago) |
|---|
| Moderation | 03/15/2025 21:31 (12 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 299818 [DayCloud StudentManage 1.0 Login Endpoint /admin/adminScoreUrl Query sql injection] |
|---|
| Points | 17 |
|---|