Read Time:21 Second
Posted by Andrey Stoykov on Jul 07
# Exploit Title: Faculty Evaluation System – SQL Injection
# Date: 07/2023
# Exploit Author: Andrey Stoykov
# Version: 1.0
# Tested on: Windows Server 2022
SQLi #1
File: edit_evaluation
Line #4
$qry = $conn->query(“SELECT * FROM ratings where id =
“.$_GET[‘id’])->fetch_array();
[…]
SQLi #2
File: view_faculty.php
Line #4
// Add “id” parameter after “view_faculty” parameter then add equals…