Portabilis i-Educar SQL Injection Vulnerability in RegraAvaliacao Module

A SQL injection vulnerability has been identified in the Portabilis i-Educar application, affecting versions through 2.10. The issue arises in the RegraAvaliacao module, specifically within the view endpoint, where the id parameter is not properly validated. This flaw allows remote attackers to inject malicious SQL payloads, which are executed by the database. The vulnerability could lead to unauthorized data access, database enumeration, data manipulation, and denial-of-service conditions. Additionally, there is a potential for escalation to remote code execution under certain circumstances.

Impact

Exploitation of this vulnerability allows for arbitrary SQL command execution on the backend database. This could result in unauthorized access to sensitive data, such as credentials and personal information, extraction of database schemas and details, manipulation of database records, and disruption of system availability through time-based query delays. Furthermore, according to VulDB, this vulnerability could be escalated to remote code execution if combined with other vulnerabilities and specific database features.

Reproduction

The vulnerability can be reproduced by sending a request to the '/module/RegraAvaliacao/view' endpoint with a crafted 'id' parameter that includes SQL injection payloads. This can be automated using the sqlmap tool, which can exploit the vulnerability and demonstrate its impact by extracting database information.