Online Exam System Time-Based Blind SQL Injection Vulnerability in Feedback Form

A time-based blind SQL injection vulnerability has been identified in the Online Exam System 2015, specifically within the feedback form. This vulnerability allows attackers to extract database password hashes by exploiting the 'feed.php' endpoint. The exploitation involves sending crafted payloads that use time delays to systematically enumerate password characters.

Impact

Exploitation of this vulnerability allows for time-based blind SQL injection, where an attacker can extract password hashes from the database.

Reproduction

To reproduce this vulnerability, send a POST request to the 'feed.php' endpoint with a payload that includes a SQL injection payload designed to exploit time-based blind SQL injection. The payload should be crafted to use time delays to enumerate password characters. Monitor the response time to determine if the injection was successful.