Advertisement






Online Course Registration 2.0 - SQL Injection on Student Pincode Verification (Verification Code By

CVE Category Price Severity
CWE-89 Unknown Critical
Author Risk Exploitation Type Date
Unknown High Remote 2021-06-17
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021060106

Below is a copy:

Online Course Registration 2.0 - SQL Injection on Student Pincode Verification (Verification Code Bypass)
# Exploit Title: Online Course Registration 2.0 - SQL Injection on Student Pincode Verification (Verification Code Bypass)
# Date: 14 June 2021
# Exploit Author: BHAVESH KAUL
# Author Linkedin: https://www.linkedin.com/in/bhavesh-kaul-cs/
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/online-course-registration-free-download/
# Version: 2.0
# Tested on: Server: XAMPP

# Description #

Online Course Registration 2.0 is vulnerable to SQL Injection on it's student pincode verification field because of insufficient user supplied data sanitization and the sql injection payload being executed. A malicious attacker student is able to enroll to any course without having to know the student verification code.

# Proof of Concept (PoC) : Exploit #

1) Login as student with default credentials: 10806121/Test@123

2) Goto: http://localhost/onlinecourse/pincode-verification.php

2) Enter the following payload and click Verify: ' OR 'x'='x

3) SQL Injection successful and student is able to enroll in any course

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.