header-logo
Suggest Exploit
vendor:
Online-Exam-System
by:
Berk Dusunur
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Online-Exam-System
Affected Version From: 2015
Affected Version To: 2015
Patch Exists: NO
Related CWE: N/A
CPE: a:sunnygkp10:online-exam-system
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: MacosX
2020

Online-Exam-System 2015 – ‘fid’ SQL Injection

A vulnerability exists in Online-Exam-System 2015, where an attacker can inject malicious SQL code into the 'fid' parameter of the 'dash.php' page, allowing them to access sensitive information from the database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in an SQL query.
Source

Exploit-DB raw data:

# Exploit Title: Online-Exam-System 2015 - 'fid' SQL Injection
# Exploit Author: Berk Dusunur
# Google Dork: N/A
# Type: Web App
# Date: 2020-05-28
# Vendor Homepage: https://github.com/sunnygkp10/
# Software Link: https://github.com/sunnygkp10/Online-Exam-System-.git
# Affected Version: 2015
# Tested on: MacosX
# CVE : N/A

# PoC

Affected code

<?php if(@$_GET['fid']) {
echo '<br />';
$id=@$_GET['fid'];
$result = mysqli_query($con,"SELECT * FROM feedback WHERE id='$id' ") or
die('Error');

http://berklocal/dash.php?fid=SQL-INJECTION

Navigation

Suggest Exploit

Services By CQR