CVE-2021-42666

HIGH

Sourcecodester Engineers Online Portal - SQL Injection via Quiz Question ID Parameter

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2021-42666. PoCs published by Alon Leviev, 0xDeku.

AI-analyzed exploit summary This is a working proof-of-concept for an SQL injection vulnerability in Engineers Online Portal 1.0. The exploit demonstrates how to extract the MySQL server version by manipulating the 'id' parameter in the 'quiz_question.php' page.

Description

A SQL Injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the id parameter to quiz_question.php, which could let a malicious user extract sensitive data from the web server and in some cases use this vulnerability in order to get a remote code execution on the remote web server.

Exploits (3)

exploitdb WORKING POC

by Alon Leviev · textwebappsphp

https://www.exploit-db.com/exploits/50453

View Code ZIP pw:eip

This is a working proof-of-concept for an SQL injection vulnerability in Engineers Online Portal 1.0. The exploit demonstrates how to extract the MySQL server version by manipulating the 'id' parameter in the 'quiz_question.php' page.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Engineers Online Portal 1.0

No auth needed

Prerequisites: Access to the vulnerable web application

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP

by 0xDeku · poc

https://github.com/0xDeku/CVE-2021-42666

View Code ZIP pw:eip

This repository provides a technical description and proof-of-concept for CVE-2021-42666, an SQL injection vulnerability in the Engineers Online Portal system. The vulnerability exists in the 'id' parameter of the 'quiz_question.php' page, allowing attackers to extract sensitive data from the MySQL server.

Classification

Writeup 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Engineers Online Portal system

No auth needed

Prerequisites: Access to the vulnerable web page

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

inthewild WRITEUP

poc

https://github.com/thehackingrabbi/cve-2021-42666

View Code ZIP pw:eip

This repository provides a technical description and proof-of-concept payload for an SQL Injection vulnerability in the Engineers Online Portal system, specifically targeting the 'id' parameter in 'quiz_question.php'. It includes a functional SQLi payload to extract the MySQL server version but lacks executable exploit code.

Classification

Writeup 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Engineers Online Portal system

No auth needed

Prerequisites: Access to the vulnerable web page 'quiz_question.php'

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory x_refsource_misc

https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/janobe/CVE-nu11-101321

Product, Third Party Advisory x_refsource_misc

https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html

Exploit, Third Party Advisory x_refsource_misc

https://github.com/TheHackingRabbi/CVE-2021-42666

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/50453

Scores

CVSS v3 8.8

EPSS 0.2682

EPSS Percentile 96.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

engineers_online_portal_project/engineers_online_portal 1.0

Published Nov 05, 2021

Tracked Since Feb 18, 2026