Karina Gante
Posts Tags Categories
Karina Gante

Contents

CVE-2025-10844

Karina avatarKarina  included in  category CVE
    2 minutes   CC BY-NC 4.0   
How I Found a Time-Based Blind SQL Injection in i-Educar (With Real Delay and PoC)

How I Found a Time-Based Blind SQL Injection in i-Educar (With Real Delay and PoC).

🇧🇷 Ler em Português.

While diving into the i-Educar Open-Source project, I uncovered a critical time-based blind SQL Injection vulnerability in the id parameter of the module/Cadastro/aluno endpoint.
This flaw allows attackers to execute arbitrary SQL queries silently against the backend database, putting data confidentiality, integrity, and availability at risk.
After validating the issue using a payload that caused measurable delays in the server's response, I reported it responsibly, and it was officially assigned as CVE-2025-10844.

CVE-2025-10844 is a SQL Injection vulnerability in the module/Cadastro/aluno endpoint of the i-Educar application.
The vulnerable parameter is id, which lacks proper input validation.
This makes it possible to inject custom SQL queries, including PG_SLEEP() functions that introduce time delays, confirming the flaw via time-based behavior.

Vulnerable Endpoint module/Cadastro/aluno

Affected Parameter: id

Payload Used (Encoded)

%27%20AND%209581=(SELECT%209581%20FROM%20PG_SLEEP(5))%20AND%20%27bffB%27=%27bffB

Payload Used (Decoded)

' AND 9581=(SELECT 9581 FROM PG_SLEEP(5)) AND 'bffB'='bffB

To reproduce the vulnerability:

➤ Access the endpoint /intranet/educar_aluno_lst.php and choose an id.

➤ In the new page click on “Editar”.

➤ The system redirects to a URL like:

http://localhost:8086/module/Cadastro/aluno?id=[ID]

➤ Now, modify the `id` parameter with the payload:
/module/Cadastro/aluno?id=[ID]' AND 9581=(SELECT 9581 FROM PG_SLEEP(5)) AND 'bffB'='bffB

The server will take 5 seconds to respond, confirming that the SQL query was executed successfully.


Report

You can access the full report and see the complete step-by-step instructions. Here:

CVE-2025-10844 Report

This vulnerability can be exploited to:

  • Access sensitive data stored in the database;
  • Enumerate database schemas, tables, and columns;
  • Modify, delete, or insert arbitrary records;
  • Steal user credentials and personal information;
  • Perform a denial of service (DoS) attack by triggering long query delays;
  • In some cases, escalate to Remote Code Execution (RCE).

The flaw was ethically reported and attributed as:

References

CVE-2025-10844 on CVE.org

VulDB Entry

SQL injection attacks remain one of the most critical threats to web applications, especially when silent and time-based. This discovery demonstrates how a single unvalidated parameter can compromise the entire database behind a platform.

If you're a developer or security analyst, be aware: even small, seemingly harmless endpoints can hide dangerous flaws.

Discovered with 💜 by Karina Gante.

LinkedIn GitHub gmail Instagram

Official Member of CVE-Hunters🏹

Related Content

How I Found a Time-Based Blind SQL Injection in i-Educar (With Real Delay and PoC)

CVE-2025-10909

How I Found a Time-Based Blind SQL Injection in i-Educar (With Real Delay and PoC)

CVE-2025-10845

How I Found a Time-Based Blind SQL Injection in i-Educar (With Real Delay and PoC)

CVE-2025-10846

How I Found a Time-Based Blind SQL Injection in i-Educar (With Real Delay and PoC)

CVE-2025-10584

How I Found a Time-Based Blind SQL Injection in i-Educar (With Real Delay and PoC)

CVE-2025-10372

CC BY-NC 4.0
 SQL InjectionI-EducarCVE-2025-10844Blind SQLiCybersecurity
 | Home