Portabilis i-Educar SQL Injection Vulnerability in Cadastro Module

A SQL injection vulnerability has been identified in Portabilis i-Educar versions through 2.10. The issue resides in the '/module/Cadastro/aluno' endpoint, specifically within the 'id' parameter. This vulnerability allows remote attackers to execute arbitrary SQL commands on the application's backend database. The application fails to properly validate and sanitize user input, enabling the injection of crafted SQL payloads that could be used for database enumeration, data exfiltration, modification, or causing a denial-of-service via time-based delays.

Impact

Exploitation of this vulnerability allows unauthorized access to database information, including sensitive data such as credentials and personal information. It also enables database enumeration and manipulation of database records. Additionally, the vulnerability could be used to create a denial-of-service condition by causing time-based delays in server response. In some cases, this type of vulnerability could be combined with other issues to escalate privileges to remote code execution.

Reproduction

To reproduce this vulnerability, access the '/intranet/educar_aluno_lst.php' page and select any student record. Once on the student's detail page, click 'Editar' to be redirected to the vulnerable endpoint. Insert the payload into the 'id' parameter, appending it to the end of the existing id value. For example, if the id is '208', the payload would be '208payload'. The injected SQL command can be crafted to, for instance, execute a time-based delay, demonstrating the successful exploitation of the SQL injection vulnerability.