Portabilis i-Educar SQL Injection Vulnerability in TabelaArredondamento Module

A SQL injection vulnerability has been identified in the Portabilis i-Educar application, affecting versions up to 2.10. The vulnerability resides in the TabelaArredondamento module, specifically within the edit endpoint. The issue arises from improper validation and sanitization of the id parameter, allowing remote attackers to inject malicious SQL payloads. This exploitation could lead to unauthorized data access, database enumeration, data manipulation, and denial-of-service conditions through time-based SQL injection techniques.

Impact

Exploitation of this vulnerability allows for blind, time-based SQL injection, where an attacker can execute SQL commands that cause intentional delays in the application's response. Such a technique could be used to extract data or manipulate database records. Additionally, this vulnerability could be combined with other issues to escalate privileges or achieve remote code execution, depending on the database features and application context.

Reproduction

To reproduce this vulnerability, navigate to the 'Escola' menu and access the 'Tabelas de Arredondamento' section. Once there, the vulnerable endpoint can be accessed by sending a POST request to '/module/TabelaArredondamento/edit' with an injected payload in the 'id' parameter. The payload should be crafted to exploit the SQL injection vulnerability, such as by using a time-based injection technique that demonstrates control over the SQL query execution.