CVE-2021-42668 - SQL Injection vulnerability in the Engineers online portal system.
An SQL Injection vulnerability exists in the Engineers Online Portal. An attacker can leverage the vulnerable "id" parameter in the "my_classmates.php" web page in order to manipulate the sql query performed. As a result the attacker can extract sensitive data from the web server.
Affected components -
Vulnerable page - my_classmates.php
Vulnerable parameter - "id"
- Navigate to http://localhost/nia_munoz_monitoring_system/my_classmates.php
- Insert your payload in the id parameter
The following payload will allow you to extract the MySql server version running on the web server -
' union select NULL,NULL,NULL,NULL,NULL,@@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL;-- -
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42668
https://nvd.nist.gov/vuln/detail/CVE-2021-42668
Alon Leviev(0xDeku), 22 October, 2021.
