Portabilis i-Educar SQL Injection Vulnerability in Formula de Cálculo de Média Page

A SQL injection vulnerability has been identified in Portabilis i-Educar versions through 2.10. The issue resides in the '/module/FormulaMedia/view' endpoint, specifically within the 'id' parameter. This vulnerability allows remote attackers to execute arbitrary SQL commands on the backend database. Exploitation of this vulnerability could lead to unauthorized data access, database enumeration, data manipulation, and a denial-of-service condition via time-based delays. Additionally, there is a potential for escalation to remote code execution if combined with other vulnerabilities and specific database features.

Impact

Exploitation of this vulnerability allows for blind time-based SQL injection, where injected SQL commands are executed in the database, causing intentional delays that can be observed in the application response. This type of injection could be used to extract, modify, or delete database information, and disrupt normal application operations by slowing down the server response.

Reproduction

To reproduce this vulnerability, navigate to 'Escola > Cadastros > Tipos > Regras de Avaliação > Formula de Cálculo de Média' within the i-Educar application. Once there, the vulnerable endpoint can be accessed by sending a GET request to '/module/FormulaMedia/view' with a crafted 'id' parameter that includes SQL injection payloads. After the injection is executed, the server response time will increase, indicating that the SQL command was successfully executed.