提交 #635801: Portabilis i-Educar 2.10 SQL Injection信息

标题	Portabilis i-Educar 2.10 SQL Injection
描述	SQL Injection (Boolean-Based) Vulnerability in id Parameter on /RegraAvaliacao/view?id=[id] Endpoint Summary A SQL Injection vulnerability was identified in the /module/RegraAvaliacao/view?id=[id] endpoint of the i-educar application, specifically in the id parameter. This vulnerability allows attackers to execute arbitrary SQL commands on the backend database, potentially compromising the confidentiality, integrity, and availability of application data. Details Vulnerable Endpoint: /module/RegraAvaliacao/view?id=[id] Parameter: id The application fails to properly validate and sanitize user input in the id parameter. As a result, attackers can inject crafted SQL payloads that are executed directly by the database. This could allow database enumeration, data exfiltration, modification, or denial of service via time-based delays. PoC Step by Step: Install sqlmap tool and type the command below: Payload: sqlmap -u "http://localhost:8086/module/RegraAvaliacao/view?id=1" -p id --cookie="i_educar_session=qEk2wbjxS5IbECJGqnIa0dbmIyI3XIsXqm3WSh6K" \ --dbms=PostgreSQL --technique=B --dbs --batch sqlmap begins to test a lot of SQLi in id parameter until find a boolean-based blind: image 1: https://github.com/KarinaGante/KGSec/raw/main/CVEs/images/SQLi6.png Some time after, sqlmap will list of available databases confirming that SQLi: image 2: https://github.com/KarinaGante/KGSec/raw/main/CVEs/images/SQLi7.png Still using sqlmap and discovering tables and columns it becomes possible to enumerate this information: image 3: https://github.com/KarinaGante/KGSec/raw/main/CVEs/images/SQLi8.png Impact Unauthorized data access: Reading sensitive information such as credentials, personal data, or configuration details Database enumeration: Extracting database schema, tables, and column details Data manipulation: Adding, modifying, or deleting database records. Denial of Service (DoS): Using time-based queries to impact system availability. Potential escalation to RCE: If combined with other vulnerabilities and specific database features. Finder Discovered by Karina Gante.
来源	⚠️ https://github.com/KarinaGante/KGSec/blob/main/CVEs/i-educar/12.md
用户	karinagante (UID 88113)
提交	2025-08-16 01時12分 (10 月前)
管理	2025-08-27 09時34分 (11 days later)
状态	已接受
VulDB条目	321551 [Portabilis i-Educar 直到 2.10 /RegraAvaliacao/view 标识符 SQL注入]
积分	20

◂ 上一步一览下一步 ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!